UCF STIG Viewer Logo

The DNS server implementation must require devices to re-authenticate for each zone transfer and dynamic update request connection attempt.


Overview

Finding ID Version Rule ID IA Controls Severity
V-54857 SRG-APP-000390-DNS-000048 SV-69103r1_rule Medium
Description
Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of devices, including, but not limited to, the following other situations: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) After a fixed period of time; or (v) Periodically. DNS does perform server authentication when DNSSEC or TSIG/SIG(0) are used, but this authentication is transactional in nature (each transaction has its own authentication performed). So this requirement is applicable for every server-to-server transaction request.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2015-01-05

Details

Check Text ( C-55481r1_chk )
Review the DNS server implementation configuration to determine if the DNS server requires devices to re-authenticate each time a zone transfer is initiated and each time a client makes a dynamic update request. If the DNS server does not require devices to re-authenticate each time a zone transfer is initiated and each time a client makes a dynamic update request, this is a finding. Note that the requirement should be inherently met if DNSSEC and TSIG/SIG(0) are enabled.
Fix Text (F-59717r1_fix)
Configure the DNS server to require devices to re-authenticate each time a zone transfer is initiated and each time a client makes a dynamic update request. Note that the requirement should be inherently met if DNSSEC and TSIG/SIG(0) are enabled.