The DNS implementation must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34158 | SRG-NET-000208-DNS-000124 | SV-44611r1_rule | Medium |
| Description |
|---|
| If unprotected data records obtained via a zone transfer are intercepted and altered by a man-in-the-middle attack, the DNS data may be compromised and the cache may be poisoned. DNS provides integrity through the use of TSIG and DNSSEC. The use of TSIG provides a signature and hash for each message transferred. If the message content is altered the hash will detect that changes have been made. DNSSEC provides a ""chain of trust"" for the source of each message which is used to verify the source of a message. Alternative physical protection measures include Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-42118r1_chk ) |
|---|
| Review the DNS system configuration to determine if Transaction Signatures (TSIG) is used to provide integrity checks for transmitted data. If DNS does not utilize a Transaction Signature (TSIG) to protect the integrity of the zone transfer session and there are no alternative physical measures provided, this is a finding. |
| Fix Text (F-38068r2_fix) |
|---|
| Configure the DNS server to use Transaction Signatures (TSIG) to employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures. |