UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must be conformant to the IETF DNS specification.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34274 SRG-NET-000276-DNS-000175 SV-44753r1_rule Medium
Description
Any DNS implementation must be designed to be able to conform to the Internet Engineering Task Force (IETF) specification. DoD utilizes many different DNS servers and it is essential that core capabilities of all are compatible. DNS servers that do not provide services compliant to the DNS RFCs may cause denial of service issues. Specific DNS implementations may have additional capabilities (i.e. Nominum's DNSAUTH protocol) but the server must be compliant to the IETF standard to ensure interoperability.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42258r1_chk )
Review DNS implementation documentation to determine whether the DNS system has capabilities compliant to IETF RFC-1034 (Domain Names-Concepts and Facilities), RFC-1035 (Domain Names-Implementation and Specification), and subsequent RFCs. Systems using DNSSEC (DNS Security Extensions) should be compliant to RFC-4033 (DNS Security Introduction and Requirements), RFC-4024 (Resource Records for the DNS Security Extensions), RFC-4035 (Protocol Modifications for the DNS security Extensions), RFC-5155 (DNS Security (DNSSEC) Hashed Authenticated Denial of Existence) and related RFCs.

A DNS implementation may also be found non-compliant by empirical analysis, i.e., by experimentally querying and examine the answer. For example, a DNS implementation may not answer a query for the 'NS' resource record type with a CNAME reply.

If the implementation does not comply to the IETF DNS RFCs, this is a finding.
Fix Text (F-38205r1_fix)
Ensure the DNS implementation is compliant to the IETF specifications for DNS.