CNAME records must not point to a zone with lesser security for more than six months.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000516-DNS-000114	SRG-APP-000516-DNS-000114	SRG-APP-000516-DNS-000114_rule		Medium

Description
The use of CNAME records for exercises, tests or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack the zone in which the alias is defined and the zone authoritative for the aliases canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounding the vulnerability.

Description

The use of CNAME records for exercises, tests or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack the zone in which the alias is defined and the zone authoritative for the aliases canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounding the vulnerability.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2014-07-11

Details

Check Text ( C-SRG-APP-000516-DNS-000114_chk )
Review the DNS server's hosted zones and respective records. Within the zone statement will be a file option that will display the name of the zone file. The record type column will display CNAME. This is usually the third or fourth field in a record depending if the TTL value is utilized. Without a TTL value, the CNAME type will be in the third field, otherwise it will display as the fourth field. Review the zone files and the DNS zone record documentation to confirm that there are no CNAME records older than 6 months. The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. If there are zone-spanning CNAME records older than 6 months, and the CNAME records resolves to anything other than fully qualified domain name for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third party Content Delivery Networks (CDN) or cloud computing platforms with a documented need, this is a finding.

Check Text ( C-SRG-APP-000516-DNS-000114_chk )

Review the DNS server's hosted zones and respective records. Within the zone statement will be a file option that will display the name of the zone file. The record type column will display CNAME. This is usually the third or fourth field in a record depending if the TTL value is utilized. Without a TTL value, the CNAME type will be in the third field, otherwise it will display as the fourth field.

Review the zone files and the DNS zone record documentation to confirm that there are no CNAME records older than 6 months.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated.

If there are zone-spanning CNAME records older than 6 months, and the CNAME records resolves to anything other than fully qualified domain name for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third party Content Delivery Networks (CDN) or cloud computing platforms with a documented need, this is a finding.

Fix Text (F-SRG-APP-000516-DNS-000114_fix)
Remove any zone-spanning CNAME records that have been active for more than six months.