UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must verify each NS record in a zone file points to an active name server authoritative for the domain specified in that record.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34244 SRG-NET-000276-DNS-000154 SV-44723r1_rule High
Description
Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of the adversary's name server from a valid authoritative name server, one that need not be compromised for this attack to be successful. If DNSSEC is enabled for a server, the ability to verify a particular server which may attempt to update the DNS server actually exists. This is done through the use of NSEC3 records to provide an "authenticated denial of existence" for specific systems whose addresses indicate that they lie within a particular zone.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42228r1_chk )
This is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized this vulnerability may be considered NA provided DNSSEC is NOT enabled on the DNS server.

Review the zone file's configuration and confirm that, if DNSSEC is enabled, "authenticated denial of existence" is used to verify active name servers for the domain. If this is not the case, this is a finding.
Fix Text (F-38175r1_fix)
Ensure all name servers existence is verified through the use of NSEC3 records.