The DNS implementation must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34161	SRG-NET-000211-DNS-000126	SV-44614r1_rule		Medium

Description
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Alternative physical protection measures include Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS. DNS provides integrity through the use of TSIG and DNSSEC, however, it does not provide confidentiality. Confidentiality of DNS data transfers, to include dynamic updates and zone transfers, must be obtained via an encrypted method as mentioned above. If the unprotected data records obtained via a zone transfer are intercepted and altered by a man-in-the-middle attack, the DNS data may be compromised and the cache may be poisoned. Dynamic updates operate between clients and authoritative servers. The records that are updated with this mechanism are then made publicly available. Therefore, there is no need to encrypt dynamic updates to records. The DNS specification does not provide for encryption of query and response message content.

Description

Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. Alternative physical protection measures include Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS. DNS provides integrity through the use of TSIG and DNSSEC, however, it does not provide confidentiality. Confidentiality of DNS data transfers, to include dynamic updates and zone transfers, must be obtained via an encrypted method as mentioned above. If the unprotected data records obtained via a zone transfer are intercepted and altered by a man-in-the-middle attack, the DNS data may be compromised and the cache may be poisoned. Dynamic updates operate between clients and authoritative servers. The records that are updated with this mechanism are then made publicly available. Therefore, there is no need to encrypt dynamic updates to records. The DNS specification does not provide for encryption of query and response message content.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42121r1_chk )
Review the DNS system configuration to determine if zone transfer data is encrypted. If zone transfers are not encrypted, this is a finding.

Fix Text (F-38071r1_fix)
Configure the DNS implementation to utilize cryptographic mechanisms, which may include TLS, SSL VPN, or IPSEC tunnels to encrypt zone transfers.