UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must implement non-discretionary access control policies over resources to protect the name server executables/daemons and service configuration files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34273 SRG-NET-000017-DNS-000016 SV-44752r1_rule Medium
Description
"Non-discretionary access control policies that may be implemented by organizations include Attribute-Based Access Control, Mandatory Access Control, and Originator Controlled Access Control. Non-discretionary access control policies may be employed by organizations in addition to the employment of discretionary access control policies. The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able create and modify resource records, and name servers should only accept updates from authoritative master servers for the relevant zones. Integrity is best assured through authentication and access control features within the name server software, though firewalls also play a significant role in controlling DNS transactions on a network. In DNS there are numerous access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) that are employed to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). Access controls provide protection to the data and resources of the DNS. Access control mechanisms must be in place to protect the name server configuration files and permissions on the name server configuration file must be limited to only the named daemon/executables or the administrator to prevent an adversary from obtaining or changing DNS data. DNS must enforce these non-discretionary access control policies over the name service daemon/executables and associated configuration files to ensure data protection and integrity of the DNS infrastructure. Non-discretionary access controls are employed at the name server configuration file and executable level to restrict and control access to the DNS infrastructure, thereby providing increased information security for the organization.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42257r1_chk )
Review the DNS system configuration to determine if non-discretionary access controls are in place to enforce restrictions on the name server daemon or executables and configuration files associated with the DNS implementation. If non-discretionary access controls are not in place to protect the files, daemons or executables of the DNS server, this is a finding.
Fix Text (F-38204r1_fix)
Configure the DNS system to restrict, via non-discretionary access controls, access to the configuration files, executables and daemons associated with the DNS implementation.