UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must protect the confidentiality of zone transfers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34160 SRG-NET-000210-DNS-000125 SV-44613r1_rule Medium
Description
DNS provides integrity through the use of TSIG and DNSSEC, however, it does not provide confidentiality. Confidentiality of DNS data transfers, to include dynamic updates and zone transfers, must be obtained via an encrypted method, such as Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Alternative physical protection measures include Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS. Dynamic updates operate between clients and authoritative servers. The records that are updated with this mechanism are then made publicly available. Therefore, there is no need to encrypt dynamic updates to records.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42120r1_chk )
Review the DNS system configuration to determine if zone transfer data is encrypted. If zone transfers are not encrypted, this is a finding.
Fix Text (F-38070r1_fix)
Configure the DNS implementation to utilize cryptographic mechanisms, which may include TLS, SSL VPN, or IPSEC tunnels to encrypt zone transfers.