The DNS implementation must manage excess capacity bandwidth or other redundancy to limit the effects of information flooding types of denial of service attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34142 | SRG-NET-000193-DNS-000119 | SV-44595r1_rule | Medium |
| Description |
|---|
| A denial of service (DoS) attack against the DNS infrastructure has the potential to cause a DoS to all network users. As the DNS is a distributed backbone service of the Internet, various forms of amplification attacks resulting in DoS, while utilizing the DNS, are still prevalent on the Internet today. Some potential DoS flooding attacks against the DNS include malformed packet flood, spoofed source addresses, and distributed DoS. Without the DNS, users and systems would not have the ability to perform simple name to IP resolution. Configuring the DNS implementation to defend against cache poisoning, employing increased capacity and bandwidth, building redundancy into the DNS architecture, utilizing DNSSEC, limiting and securing recursive services, DNS black holes, etc., may reduce the susceptibility to some flooding types of DoS attacks. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-42102r1_chk ) |
|---|
| Review the DNS implementation and configuration to determine if excess capacity and bandwidth are managed, and redundancy is built into the system to limit the effects of information flooding types of DoS attacks. If excess capacity and bandwidth are not managed or redundancy is not built into the architecture, this is a finding. |
| Fix Text (F-38052r1_fix) |
|---|
| Configure the DNS implementation to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of DoS attacks. |