UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must disable use of nonsecure protocols.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-APP-000383-DNS-000046 SRG-APP-000383-DNS-000046 SRG-APP-000383-DNS-000046_rule Medium
Description
In this context an unsecure protocol is one that has not been evaluated and accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM). Disabling the use of nonsecure protocols is essential to protect the DNS implementation and architecture. If a nonsecure protocol is used, it could potentially provide an exploitable path into the DNS infrastructure. As the DNS systems maintain a mapping of IP addresses to host names, this could provide valuable information to an attacker if accessed.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2014-07-11

Details

Check Text ( C-SRG-APP-000383-DNS-000046_chk )
Review the DNS configuration to determine if services or capabilities are present on the system that are not required for operational or mission need.

DNS must be a dedicated service, i.e., it cannot coexist with any other network function, such as a firewall or DHCP service on the same platform.

If additional services or capabilities are present on the system, this is a finding.
Fix Text (F-SRG-APP-000383-DNS-000046_fix)
Configure the DNS system name server software to only utilize secure ports and protocols required for operation which have been accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM).