UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34259 SRG-NET-000302-DNS-000163 SV-44738r1_rule Low
Description
A recursive resolving or caching DNS server is an information system providing name/address resolution service for local clients. If data origin authentication and data integrity verification is not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed which would result in query failure or denial of service. Data integrity and data origin authentication must be performed to thwart these types of attacks. While TSIG provides authentication and integrity verification, the origin of a response can only be considered authoritative by using DNSSEC to utilize a "chain of trust".
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42243r1_chk )
This is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized this vulnerability may be considered NA provided DNSSEC is NOT enabled on the DNS server.

Review the DNS implementation to determine if data origin authentication and data integrity validation is performed on resolution responses the system receives from authoritative sources when requested by client systems.

This requirement is not applicable to authoritative servers.

If this is a recursive server and these mechanisms are not in place, this is a finding.
Fix Text (F-38190r1_fix)
Configure DNSSEC to implement data origin authentication and data integrity validation for resolution responses the system receives from authoritative sources when requested by client systems.