UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34260 SRG-NET-000303-DNS-000164 SV-44739r1_rule Low
Description
A recursive resolving or caching DNS server is an information system providing name/address resolution service for local clients. If data origin authentication and data integrity verification is not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed which would result in query failure or denial of service. Data integrity and data origin authentication must be performed to thwart these types of attacks. The origin of a response can only be considered authoritative by using DNSSEC to utilize a "chain of trust".
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42244r1_chk )
This is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized this vulnerability may be considered NA provided DNSSEC is NOT enabled on the DNS server.

Review the DNS implementation to determine if data origin authentication and data integrity validation is performed on resolution responses. If these mechanisms are not in place, this is a finding.
Fix Text (F-38191r1_fix)
Configure DNSSEC to implement data origin authentication and data integrity validation for resolution responses.