The DHCP client must not send dynamic DNS updates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22549	GEN007850	SV-45988r2_rule		Medium

Description
Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed.

STIG	Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide	2018-09-19

Details

Check Text ( C-43270r2_chk )
If the "dhcp-client" package is not installed, this is not applicable. Verify the DHCP client is configured to not send dynamic DNS updates. Procedure: # rpm –q dhcp-client If DHCP client is found then issue following command to determine if the DHCP client sends dynamic DNS updates: # grep do-forward-updates /etc/dhclient.conf If the DHCP client is installed and the configuration file is not present, or contains do-forward-updates = “true”, then this is a finding

Check Text ( C-43270r2_chk )

If the "dhcp-client" package is not installed, this is not applicable.

Verify the DHCP client is configured to not send dynamic DNS updates.

Procedure:
# rpm –q dhcp-client
If DHCP client is found then issue following command to determine if the DHCP client sends dynamic DNS updates:

# grep do-forward-updates /etc/dhclient.conf

If the DHCP client is installed and the configuration file is not present, or contains do-forward-updates = “true”, then this is a finding

Fix Text (F-39353r1_fix)
Edit or add the "/etc/dhclient.conf" file and add or edit the "do-forward-updates" setting to false. Procedure: # echo "do-forward-updates false;" >> /etc/dhclient.conf