UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must inspect inbound and outbound DNS traffic for harmful content and protocol conformance.


Overview

Finding ID Version Rule ID IA Controls Severity
V-37339 SRG-NET-999999-FW-000169 SV-49100r1_rule Medium
Description
Allowing traffic through the firewall without inspection creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the network and destination endpoint at a greater risk of exploitation.
STIG Date
Firewall Security Requirements Guide 2013-04-24

Details

Check Text ( C-45587r1_chk )
Review the firewall configuration and verify both outbound and inbound traffic is inspected for the following:
- Protocol conformance, malformed packets, message length, and domain name integrity.
- Query ID and port randomization for DNS query traffic must be enabled.

If the firewall implementation does not inspect inbound and outbound DNS traffic for protocol conformance, this is a finding.
Fix Text (F-42264r1_fix)
Configure the firewall implementation with a DNS proxy. If the firewall implementation does not have proxy capability, configure the firewall to meet the minimum content, protocol, and flow control inspection as follows:
- Inspect for protocol conformance, malformed packets, message length, and domain name integrity.
- Enable query ID and port randomization for DNS query traffic.