The DNS implementation must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34259	SRG-NET-000302-DNS-000163	SV-44738r1_rule		Low

Description
A recursive resolving or caching DNS server is an information system providing name/address resolution service for local clients. If data origin authentication and data integrity verification is not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed which would result in query failure or denial of service. Data integrity and data origin authentication must be performed to thwart these types of attacks. While TSIG provides authentication and integrity verification, the origin of a response can only be considered authoritative by using DNSSEC to utilize a "chain of trust".

Description

A recursive resolving or caching DNS server is an information system providing name/address resolution service for local clients. If data origin authentication and data integrity verification is not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed which would result in query failure or denial of service. Data integrity and data origin authentication must be performed to thwart these types of attacks. While TSIG provides authentication and integrity verification, the origin of a response can only be considered authoritative by using DNSSEC to utilize a "chain of trust".

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42243r1_chk )
This is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized this vulnerability may be considered NA provided DNSSEC is NOT enabled on the DNS server. Review the DNS implementation to determine if data origin authentication and data integrity validation is performed on resolution responses the system receives from authoritative sources when requested by client systems. This requirement is not applicable to authoritative servers. If this is a recursive server and these mechanisms are not in place, this is a finding.

Check Text ( C-42243r1_chk )

This is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized this vulnerability may be considered NA provided DNSSEC is NOT enabled on the DNS server.

Review the DNS implementation to determine if data origin authentication and data integrity validation is performed on resolution responses the system receives from authoritative sources when requested by client systems.

This requirement is not applicable to authoritative servers.

If this is a recursive server and these mechanisms are not in place, this is a finding.

Fix Text (F-38190r1_fix)
Configure DNSSEC to implement data origin authentication and data integrity validation for resolution responses the system receives from authoritative sources when requested by client systems.