The DNS implementation must generate error messages providing information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34238	SRG-NET-000273-DNS-000151	SV-44717r1_rule		Medium

Description
Error messages generated by various elements within the DNS components and services can indicate a possible security violation or breach. The DNS system must be configured to recognize those error messages that can be a symptom of a compromise and to provide notification. DNS logs can be monitored for specific security related errors. Any error that can have a negative effect on DNS security should be quickly identified and forwarded to the appropriate personnel. If security-relevant error conditions are not identified by the DNS they may be overlooked by the personnel responsible for addressing them. DNS error messages can potentially provide a wealth of information to an attacker, such as providing a security flaw within the DNS implementation itself, allowing inadvertent access or exploitation of the resource records.

Description

Error messages generated by various elements within the DNS components and services can indicate a possible security violation or breach. The DNS system must be configured to recognize those error messages that can be a symptom of a compromise and to provide notification. DNS logs can be monitored for specific security related errors. Any error that can have a negative effect on DNS security should be quickly identified and forwarded to the appropriate personnel. If security-relevant error conditions are not identified by the DNS they may be overlooked by the personnel responsible for addressing them. DNS error messages can potentially provide a wealth of information to an attacker, such as providing a security flaw within the DNS implementation itself, allowing inadvertent access or exploitation of the resource records.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42222r1_chk )
Review the DNS configuration to verify errors do not contain information beyond what is needed for troubleshooting the issue. If error messages contain sensitive or potentially harmful information, this is a finding.

Fix Text (F-38169r1_fix)
Ensure the DNS implementation generates error messages providing information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.