The DNS implementation must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34141	SRG-NET-000192-DNS-000118	SV-44594r1_rule		Medium

Description
When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. A DoS attack against the DNS infrastructure has the potential to cause a denial of service to all network users. As the DNS is a distributed backbone service of the Internet, numerous forms of attacks result in DoS, and they are still prevalent on the Internet today. Some potential DoS attacks against the DNS include malformed packet flood, spoofed source addresses, distributed DoS, and the DNS can be exploited to launch amplification attacks upon other systems. While it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also need to ensure their systems and applications are not used to launch such an attack against others. To that extent, a variety of technologies exist to limit the effects of DoS attacks, such as careful configuration of resolver and recursion functionality. DNS administrators must take the steps needed to ensure other systems and tools cannot use exploits to launch DoS attacks against other systems and networks. An example would be designing the DNS architecture to include mechanisms that throttle DNS traffic and resources so that users/other DNS servers are not able to generate unlimited DNS traffic via the application.

Description

When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. A DoS attack against the DNS infrastructure has the potential to cause a denial of service to all network users. As the DNS is a distributed backbone service of the Internet, numerous forms of attacks result in DoS, and they are still prevalent on the Internet today. Some potential DoS attacks against the DNS include malformed packet flood, spoofed source addresses, distributed DoS, and the DNS can be exploited to launch amplification attacks upon other systems. While it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also need to ensure their systems and applications are not used to launch such an attack against others. To that extent, a variety of technologies exist to limit the effects of DoS attacks, such as careful configuration of resolver and recursion functionality. DNS administrators must take the steps needed to ensure other systems and tools cannot use exploits to launch DoS attacks against other systems and networks. An example would be designing the DNS architecture to include mechanisms that throttle DNS traffic and resources so that users/other DNS servers are not able to generate unlimited DNS traffic via the application.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42101r1_chk )
Review the DNS implementation documentation and system settings to determine if the system restricts the ability of users or systems to launch Denial of Service (DoS) attacks against other information systems or networks from the server. If the DNS system is not configured to restrict this ability, this is a finding.

Fix Text (F-38051r1_fix)
Configure the DNS system to restrict the ability of users or other systems to launch Denial of Service (DoS) attacks against other information systems or networks from the server.