The DNS implementation must be conformant to the IETF DNS specification.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34274	SRG-NET-000276-DNS-000175	SV-44753r1_rule		Medium

Description
Any DNS implementation must be designed to be able to conform to the Internet Engineering Task Force (IETF) specification. DoD utilizes many different DNS servers and it is essential that core capabilities of all are compatible. DNS servers that do not provide services compliant to the DNS RFCs may cause denial of service issues. Specific DNS implementations may have additional capabilities (i.e. Nominum's DNSAUTH protocol) but the server must be compliant to the IETF standard to ensure interoperability.

Description

Any DNS implementation must be designed to be able to conform to the Internet Engineering Task Force (IETF) specification. DoD utilizes many different DNS servers and it is essential that core capabilities of all are compatible. DNS servers that do not provide services compliant to the DNS RFCs may cause denial of service issues. Specific DNS implementations may have additional capabilities (i.e. Nominum's DNSAUTH protocol) but the server must be compliant to the IETF standard to ensure interoperability.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2012-10-24

Details

Check Text ( C-42258r1_chk )
Review DNS implementation documentation to determine whether the DNS system has capabilities compliant to IETF RFC-1034 (Domain Names-Concepts and Facilities), RFC-1035 (Domain Names-Implementation and Specification), and subsequent RFCs. Systems using DNSSEC (DNS Security Extensions) should be compliant to RFC-4033 (DNS Security Introduction and Requirements), RFC-4024 (Resource Records for the DNS Security Extensions), RFC-4035 (Protocol Modifications for the DNS security Extensions), RFC-5155 (DNS Security (DNSSEC) Hashed Authenticated Denial of Existence) and related RFCs. A DNS implementation may also be found non-compliant by empirical analysis, i.e., by experimentally querying and examine the answer. For example, a DNS implementation may not answer a query for the 'NS' resource record type with a CNAME reply. If the implementation does not comply to the IETF DNS RFCs, this is a finding.

Check Text ( C-42258r1_chk )

Review DNS implementation documentation to determine whether the DNS system has capabilities compliant to IETF RFC-1034 (Domain Names-Concepts and Facilities), RFC-1035 (Domain Names-Implementation and Specification), and subsequent RFCs. Systems using DNSSEC (DNS Security Extensions) should be compliant to RFC-4033 (DNS Security Introduction and Requirements), RFC-4024 (Resource Records for the DNS Security Extensions), RFC-4035 (Protocol Modifications for the DNS security Extensions), RFC-5155 (DNS Security (DNSSEC) Hashed Authenticated Denial of Existence) and related RFCs.

A DNS implementation may also be found non-compliant by empirical analysis, i.e., by experimentally querying and examine the answer. For example, a DNS implementation may not answer a query for the 'NS' resource record type with a CNAME reply.

If the implementation does not comply to the IETF DNS RFCs, this is a finding.

Fix Text (F-38205r1_fix)
Ensure the DNS implementation is compliant to the IETF specifications for DNS.