The DNS implementation must protect the confidentiality of zone transfers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34160	SRG-NET-000210-DNS-000125	SV-44613r1_rule		Medium

Description
DNS provides integrity through the use of TSIG and DNSSEC, however, it does not provide confidentiality. Confidentiality of DNS data transfers, to include dynamic updates and zone transfers, must be obtained via an encrypted method, such as Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Alternative physical protection measures include Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS. Dynamic updates operate between clients and authoritative servers. The records that are updated with this mechanism are then made publicly available. Therefore, there is no need to encrypt dynamic updates to records.

Description

DNS provides integrity through the use of TSIG and DNSSEC, however, it does not provide confidentiality. Confidentiality of DNS data transfers, to include dynamic updates and zone transfers, must be obtained via an encrypted method, such as Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Alternative physical protection measures include Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS. Dynamic updates operate between clients and authoritative servers. The records that are updated with this mechanism are then made publicly available. Therefore, there is no need to encrypt dynamic updates to records.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42120r1_chk )
Review the DNS system configuration to determine if zone transfer data is encrypted. If zone transfers are not encrypted, this is a finding.

Fix Text (F-38070r1_fix)
Configure the DNS implementation to utilize cryptographic mechanisms, which may include TLS, SSL VPN, or IPSEC tunnels to encrypt zone transfers.