UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS software does not log, at a minimum, success and failure of starting and stopping of the name server service daemon, zone transfers, zone update notifications, and dynamic updates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4488 DNS0485 SV-4488r8_rule ECAT-1 ECAT-2 High
Description
Logging must be comprehensive to be useful for both intrusion monitoring and security investigations. Setting logging at the severity notice should capture most relevant events without requiring unacceptable levels of data storage. The severity levels notice and debug are also available to organizations that require additional logging for certain events or applications.
STIG Date
BIND DNS 2011-01-20

Details

Check Text ( C-3547r5_chk )
DNS software administrators need DNS transaction logs for a wide variety of reasons including troubleshooting, intrusion detection, and forensics. The events the name server logs are to contain, at a minimum, success and failure of the following events:

- start and stop of the name server service or daemon
- zone transfers
- zone update notifications
- dynamic updates

BIND

Instruction: For a BIND configuration: if a logging statement is present, it will have the form:

logging {
channel channel_name
file path_name | syslog syslog_facility
severity (critical | error | warning |
notice | info | debug [level]| dynamic);]
print-severity yes/no;
print-time yes/no;
};

category category_name {
channel_name ; [ channel_name ; …
};
};

Instruction: If a logging statement is not present, then this is a finding. The reviewer will look at the severity clause in each of the channel phrases of the logging statement. It should read either notice, info or debug for each defined channel (although debug would not typically appear unless the review is concurrent with a troubleshooting effort). If the logging statement is not properly configured, then this is a finding.

NOTE: Debug level may cause operational issues due to log file sizes and is therefore not a requirement for anything other than troubleshooting purposes.

Windows DNS

Instruction: For a Windows 2003 DNS configuration: On the “Logging Tab” or “Debug Logging” tab of the “DNS Server Properties” dialog box, if “Log Packets for “Notify” and “Update” are not checked, then this is a finding.

Mitigation: DNS0485
A violation of this requirement can have one of two severity levels depending upon the extent of the violation. If no logging exists, then the discrepancy would be a Category I finding. If some logging exists, but not for all of the events listed, then the discrepancy would be a Category II finding.
Fix Text (F-4373r4_fix)
The DNS software administrator will configure the DNS software to log, at a minimum, success and failure of the following events:

- start and stop of the name server service or daemon
- zone transfers
- zone update notifications
- dynamic updates