The DNS implementation must disable use of nonsecure protocols.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-APP-000383-DNS-000046 | SRG-APP-000383-DNS-000046 | SRG-APP-000383-DNS-000046_rule | Medium |
| Description |
|---|
| In this context an unsecure protocol is one that has not been evaluated and accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM). Disabling the use of nonsecure protocols is essential to protect the DNS implementation and architecture. If a nonsecure protocol is used, it could potentially provide an exploitable path into the DNS infrastructure. As the DNS systems maintain a mapping of IP addresses to host names, this could provide valuable information to an attacker if accessed. |
| STIG | Date |
|---|---|
| Domain Name System (DNS) Security Requirements Guide | 2014-07-11 |
Details
| Check Text ( C-SRG-APP-000383-DNS-000046_chk ) |
|---|
| Review the DNS configuration to determine if services or capabilities are present on the system that are not required for operational or mission need. DNS must be a dedicated service, i.e., it cannot coexist with any other network function, such as a firewall or DHCP service on the same platform. If additional services or capabilities are present on the system, this is a finding. |
| Fix Text (F-SRG-APP-000383-DNS-000046_fix) |
|---|
| Configure the DNS system name server software to only utilize secure ports and protocols required for operation which have been accepted for use as per the Ports, Protocols, and Services Category Assignments List (CAL) from DISA (PPSM). |