UCF STIG Viewer Logo

A caching name server does not restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4487 DNS0480 SV-4487r2_rule ECSC-1 Medium
Description
Any host that can query a resolving name server has the potential to poison the servers name cache or take advantage of other vulnerabilities that may be accessed through the query service. The best way to prevent this type of attack is to limit queries to internal hosts, which need to have this service available to them.
STIG Date
Windows DNS 2015-12-28

Details

Check Text ( C-3546r1_chk )
BIND

Instruction: This check is only applicable to caching name servers. Verify the allow-query and allow-recursion phrases are properly configured.

The reviewer should identify the allow-query and allow-recursion phrases. It should look as follows:

allow-query {trustworthy_hosts;};
allow-recursion {trustworthy_hosts;};

The name of the ACL does not need to be “trustworthy_hosts” but the name should match the ACL name defined earlier in named.conf for this purpose. If not, then this is a finding. The reviewer will also check for whether non-internal IP addresses appear in either the referenced ACL (e.g., trustworthy_hosts) or directly in the statements themselves. If non-internal IP addresses do appear, then this is a finding.

Windows 2000/2003 DNS

Instruction: Windows 2000/2003 DNS should not be deployed as a caching name server. Consequently, the use of forwarders and recursion is prohibited on Windows DNS. The reviewer will validate that the "Disable recursion" and the “Secure cache against pollution" on the “Advanced” tab of the name server properties are selected. Examine the “Advanced” tab of the DNS Server “Properties” dialog box. If “Disable recursion” and “Secure cache against pollution” is not checked, then this is a finding.

The reviewer will also validate, if available, that the "Enable forwarders" on the “Forwarders” tab of the name server properties is not selected. Examine the “Forwarders” tab of the DNS Server “Properties” dialog box. If “Enable forwarders” is checked, then this is a finding.

In cases in which the name server is not running BIND or Windows 2000/2003 DNS, the reviewer must still examine the configuration and its documentation to validate this requirement.
Fix Text (F-4372r1_fix)
The DNS software administrator should configure the caching name server to accept recursive queries only from the IP addresses and address ranges of known supported. Configuration details for BIND and Windows DNS may be found in the DNS STIG.