UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.


Overview

Finding ID Version Rule ID IA Controls Severity
V-205230 SRG-APP-000516-DNS-000085 SV-205230r879887_rule Medium
Description
Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of the adversary's name server from a valid authoritative name server, one that need not be compromised for this attack to be successful. The list of slave servers must remain current within 72 hours of any changes to the zone architecture that would affect the list of slaves. If a slave server has been retired or is not operational but remains on the list, then an adversary might have a greater opportunity to impersonate that slave without detection, rather than if the slave were actually online. For example, the adversary may be able to spoof the retired slave's IP address without an IP address conflict, which would not be likely to occur if the true slave were active.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2024-02-27

Details

Check Text ( C-5497r392603_chk )
Review the zone file's configuration and confirm that each NS record points to an active name server authoritative for the domain. If this is not the case, this is a finding.
Fix Text (F-5497r392604_fix)
Remove any NS record in a zone file that does not point to an active name server authoritative for the domain specified in that record.