CNAME records must not point to a zone with lesser security for more than six months.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-68633	IDNS-7X-000940	SV-83123r1_rule		Medium

Description
The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is defined and the zone authoritative for the alias's canonical name. This configuration also reduces the speed of client resolution because it requires a second look-up after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounds the vulnerability.

Description

The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is defined and the zone authoritative for the alias's canonical name. This configuration also reduces the speed of client resolution because it requires a second look-up after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounds the vulnerability.

STIG	Date
Infoblox 7.x DNS Security Technical Implementation Guide	2017-04-05

Details

Check Text ( C-69169r1_chk )
Infoblox DNS records the creation date of every resource record, including CNAME records in the system and the TimeStamp is attached to the CNAME object. Infoblox can also record the date when the last time this record was used or queried. CNAME records can be removed by the admin when they reach their 6 month maturity date. Navigate to Grid Manager >> Administration >> Logs >> Audit Log >> Filter >> Object Type=CNAME Record, + Action=CREATED, + TimeStamp=Before=6months Ago If CNAME records have not been removed when they reach their 6 month maturity date, this is a finding.

Check Text ( C-69169r1_chk )

Infoblox DNS records the creation date of every resource record, including CNAME records in the system and the TimeStamp is attached to the CNAME object. Infoblox can also record the date when the last time this record was used or queried. CNAME records can be removed by the admin when they reach their 6 month maturity date.

Navigate to Grid Manager >> Administration >> Logs >> Audit Log >> Filter >> Object Type=CNAME Record, + Action=CREATED, + TimeStamp=Before=6months Ago

If CNAME records have not been removed when they reach their 6 month maturity date, this is a finding.

Fix Text (F-74751r1_fix)
Navigate to Grid Manager >> Administration >> Logs >> Audit Log >> Filter >> Object Type=CNAME Record, + Action=CREATED, + TimeStamp=Before=6months Ago Remove any zone-spanning CNAME records that have been active for more than six months.