The DNS implementation must verify each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34244 | SRG-NET-000276-DNS-000154 | SV-44723r1_rule | High |
| Description |
|---|
| Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of the adversary's name server from a valid authoritative name server, one that need not be compromised for this attack to be successful. If DNSSEC is enabled for a server, the ability to verify a particular server which may attempt to update the DNS server actually exists. This is done through the use of NSEC3 records to provide an "authenticated denial of existence" for specific systems whose addresses indicate that they lie within a particular zone. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-42228r1_chk ) |
|---|
| This is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized this vulnerability may be considered NA provided DNSSEC is NOT enabled on the DNS server. Review the zone file's configuration and confirm that, if DNSSEC is enabled, "authenticated denial of existence" is used to verify active name servers for the domain. If this is not the case, this is a finding. |
| Fix Text (F-38175r1_fix) |
|---|
| Ensure all name servers existence is verified through the use of NSEC3 records. |