The DNS server will not use a statically configured source port for all DNS query traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24996	DNS4720	SV-30736r1_rule	ECSC-1	High

Description
DNS UDP queries are being used for performance reasons. DNS Servers act upon the first response that matches similar characteristics of the outbound query which can be forged. Forged responses are the query source port (usually an “ephemeral” port above 1024), the responding IP address, the DNS transaction ID, and the Question section of the outgoing query. In the DNS protocol specification, none of these are required to have a great degree of randomness or unpredictability which makes certain attacks possible.

Description

DNS UDP queries are being used for performance reasons. DNS Servers act upon the first response that matches similar characteristics of the outbound query which can be forged. Forged responses are the query source port (usually an “ephemeral” port above 1024), the responding IP address, the DNS transaction ID, and the Question section of the outgoing query. In the DNS protocol specification, none of these are required to have a great degree of randomness or unpredictability which makes certain attacks possible.

STIG	Date
BIND DNS	2011-01-20

Details

Check Text ( C-31145r1_chk )
Locate and examine the named.conf file. Find the 'options' statement and ensure it does not contain the following entry; query-source port 53; The port number may be different, but the primary line of concern is the query-source configuration statement which is an indication of not using randomized source ports.

Fix Text (F-27639r1_fix)
Upgrade to at least the required software version as specified in IAVA 2008-A-0045 and ensure the named.conf does not contain any statements containing query-source.