The DNS server implementation must terminate all network connections associated with a communications session at the end of the session, whether successful or unsuccessful.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000190-DNS-000022	SRG-APP-000190-DNS-000022	SRG-APP-000190-DNS-000022_rule		Medium

Description
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Description

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2014-07-11

Details

Check Text ( C-SRG-APP-000190-DNS-000022_chk )
Review DNS system configuration and vendor documentation to verify software is configured to close network connections after a successful completion of the session as well as in the event a session failed to complete normally. If a zone transfer fails with an error, the network connection must be terminated at that point. Once a zone transfer completes successfully, the network connection must be terminated at that point. If a dynamic update request is attempted from a client, and the client is not identified in the DNS configuration as allowed, the session should fail and the network connection must be terminated. If the DNS software is not configured to terminate network connections, following both successful and unsuccessful sessions , this is a finding.

Check Text ( C-SRG-APP-000190-DNS-000022_chk )

Review DNS system configuration and vendor documentation to verify software is configured to close network connections after a successful completion of the session as well as in the event a session failed to complete normally. If a zone transfer fails with an error, the network connection must be terminated at that point. Once a zone transfer completes successfully, the network connection must be terminated at that point.

If a dynamic update request is attempted from a client, and the client is not identified in the DNS configuration as allowed, the session should fail and the network connection must be terminated.

If the DNS software is not configured to terminate network connections, following both successful and unsuccessful sessions , this is a finding.

Fix Text (F-SRG-APP-000190-DNS-000022_fix)
Configure the DNS system to terminate communication sessions when the transaction has ended after both failed and unsuccessful zone transfer/dynamic update requests.