UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must prohibit recursion on authoritative name servers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34241 SRG-NET-000276-DNS-000155 SV-44720r1_rule Medium
Description
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to non-existent hosts (which constitutes a denial of service) or, worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine; one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42225r1_chk )
Review the DNS server configuration to determine if recursion is being performed on an authoritative name server. If an authoritative name server also performs recursion, this is a finding.
Fix Text (F-38172r1_fix)
Ensure the DNS server is not defined as both authoritative and recursive.