The DNS implementation must protect the integrity of transmitted information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34157	SRG-NET-000207-DNS-000123	SV-44610r1_rule		Medium

Description
"DNS, is a scalable, distributed system, is highly vulnerable to exposure and the threats to the infrastructure are numerous. In order to thwart the threat of bogus and forged data in particular, the system must employ integrity validation of the responses received by the clients. If integrity of the DNS data is not maintained, a client may receive an invalid or forged response or may be misdirected to unauthorized locations without their knowledge. The use of a Transaction Signature (TSIG) which provides a signature and hash of a message in conjunction to DNSSEC which verifies the source of a message can provide assurance of the integrity of the message. Implementation of DNSSEC requires multiple parts to assure integrity. Authoritative servers can provide DNSSEC information to clients including recursive servers. Recursive servers can pass DNSSEC information from authoritative servers to clients. Ultimately the DNS client must perform its own validation to ensure integrity."

Description

"DNS, is a scalable, distributed system, is highly vulnerable to exposure and the threats to the infrastructure are numerous. In order to thwart the threat of bogus and forged data in particular, the system must employ integrity validation of the responses received by the clients. If integrity of the DNS data is not maintained, a client may receive an invalid or forged response or may be misdirected to unauthorized locations without their knowledge. The use of a Transaction Signature (TSIG) which provides a signature and hash of a message in conjunction to DNSSEC which verifies the source of a message can provide assurance of the integrity of the message. Implementation of DNSSEC requires multiple parts to assure integrity. Authoritative servers can provide DNSSEC information to clients including recursive servers. Recursive servers can pass DNSSEC information from authoritative servers to clients. Ultimately the DNS client must perform its own validation to ensure integrity."

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42117r1_chk )
Review the DNS vendor documentation and configuration to determine if integrity is maintained for transmitted information through the use of TSIG and DNSSEC. If integrity is not maintained, this is a finding. Full compliance to this requirement is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized and DNSSEC is enabled this requirement can be considered fulfilled by the use of TSIG alone.

Check Text ( C-42117r1_chk )

Review the DNS vendor documentation and configuration to determine if integrity is maintained for transmitted information through the use of TSIG and DNSSEC. If integrity is not maintained, this is a finding.

Full compliance to this requirement is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized and DNSSEC is enabled this requirement can be considered fulfilled by the use of TSIG alone.

Fix Text (F-38067r1_fix)
Configure the DNS implementation to protect the integrity of transmitted information.