The DNS implementation must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34260 | SRG-NET-000303-DNS-000164 | SV-44739r1_rule | Low |
| Description |
|---|
| A recursive resolving or caching DNS server is an information system providing name/address resolution service for local clients. If data origin authentication and data integrity verification is not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed which would result in query failure or denial of service. Data integrity and data origin authentication must be performed to thwart these types of attacks. The origin of a response can only be considered authoritative by using DNSSEC to utilize a "chain of trust". |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2012-10-24 |
Details
| Check Text ( C-42244r1_chk ) |
|---|
| This is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized this vulnerability may be considered NA provided DNSSEC is NOT enabled on the DNS server. Review the DNS implementation to determine if data origin authentication and data integrity validation is performed on resolution responses. If these mechanisms are not in place, this is a finding. |
| Fix Text (F-38191r1_fix) |
|---|
| Configure DNSSEC to implement data origin authentication and data integrity validation for resolution responses. |