UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34264 SRG-NET-000307-DNS-000168 SV-44743r1_rule Medium
Description
DAC is based on the notion that individual users are owners of objects and , therefore, have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user controlled file permissions. The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able create and modify resource records, and name servers should only accept updates from authoritative master servers for the relevant zones. Integrity is best assured through authentication and access control features within the name server software and the file system the name server resides on. In order to protect the zone files and configuration data, which should only be accessed by the name service or an administrator, access controls need to be implemented on all files. The owner of those files should have the ability to deny or allow access to those objects. Lack of a stringent access control policy places the DNS infrastructure at risk to malicious persons and attackers, in addition to potential denial of service to network resources. Including or excluding access, down to the granularity of a single user, means providing the capability to either allow or deny access to objects (e.g., files, folders) on a per single user basis. This is necessary to avoid a user having privileges beyond their scope of duties and allows the granularity to build tightened access controls to objects. If all users and objects had the same access levels, the DNS infrastructure could potentially be compromised if an attacker gained access to the system.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42248r1_chk )
Review the DNS settings and configuration to determine if access controls are in place that are configurable to the single user level so users are able to assign and revoke rights to the objects and information that they own. If users cannot assign or revoke rights to the objects and information they own to groups, roles, or individual users, this is a finding.
Fix Text (F-38195r1_fix)
Configure the DNS settings to allow users to assign or revoke access rights to objects and information owned by the user. The ability to grant or revoke rights must include the ability to grant or revoke those rights down to the granularity of a single user.