The DNS implementation must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34269	SRG-NET-000311-DNS-000172	SV-44748r1_rule		Low

Description
Per most sources, and NIST in particular, the underlying feature in the major threat associated with DNS forged responses or failures, is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23.

Description

Per most sources, and NIST in particular, the underlying feature in the major threat associated with DNS forged responses or failures, is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42253r1_chk )
This is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized this vulnerability may be considered NA provided DNSSEC is NOT enabled on the DNS server. Review the DNS implementation to determine whether DNSSEC is employed to provide origin authentication and integrity verification. Compliance to this requirement depends on the type of server being checked. If the system being reviewed is an authoritative server, it must be able to provide authenticable records (DS, RRSIG, etc.). If the system is a recursive server, it must be able to pass DNSSEC data. Once the DoD wide deployment of DNSSEC is complete, if DNSSEC is not employed and configured based on the type of server, this is a finding.

Check Text ( C-42253r1_chk )

This is dependent on the DoD wide deployment of DNSSEC. Until full deployment is realized this vulnerability may be considered NA provided DNSSEC is NOT enabled on the DNS server.

Review the DNS implementation to determine whether DNSSEC is employed to provide origin authentication and integrity verification.

Compliance to this requirement depends on the type of server being checked.

If the system being reviewed is an authoritative server, it must be able to provide authenticable records (DS, RRSIG, etc.).

If the system is a recursive server, it must be able to pass DNSSEC data.

Once the DoD wide deployment of DNSSEC is complete, if DNSSEC is not employed and configured based on the type of server, this is a finding.

Fix Text (F-38200r1_fix)
Employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.