The DNS implementation must provide notification of failed automated security tests.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34234	SRG-NET-000269-DNS-000148	SV-44713r1_rule		Low

Description
The need to verify security functionality is necessary to ensure the DNS implementation is behaving as expected and the element's defenses are enabled. To scale the deployment of the verification process, the DNS systems must provide automated support for the management of distributed security testing. Without testing of the security controls across the architecture, the DNS infrastructure (e.g., cache) could be compromised without knowledge of the administrators. As DNS itself is a distributed system of components, security testing of the elements within the architecture is crucial to maintaining integrity of the entire infrastructure. Upon detection of a failure of an automated security self-test, the DNS element must respond in accordance with organization defined responses and alternative actions. Without taking any self-healing actions or notifying an administrator, the defense of the system and the network is potentially vulnerable and the risk is not identified.

Description

The need to verify security functionality is necessary to ensure the DNS implementation is behaving as expected and the element's defenses are enabled. To scale the deployment of the verification process, the DNS systems must provide automated support for the management of distributed security testing. Without testing of the security controls across the architecture, the DNS infrastructure (e.g., cache) could be compromised without knowledge of the administrators. As DNS itself is a distributed system of components, security testing of the elements within the architecture is crucial to maintaining integrity of the entire infrastructure. Upon detection of a failure of an automated security self-test, the DNS element must respond in accordance with organization defined responses and alternative actions. Without taking any self-healing actions or notifying an administrator, the defense of the system and the network is potentially vulnerable and the risk is not identified.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42218r1_chk )
Review the DNS implementation and vendor documentation to determine if the DNS is configured to provide notification of failed automated security tests. If the capability exists, and the DNS is not configured to provide notification of failed automated security tests, this is a finding.

Fix Text (F-38165r1_fix)
Configure the DNS implementation to provide notification of failed automated security tests.