The firewall implementation must inspect inbound and outbound DNS traffic for harmful content and protocol conformance.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37339 | SRG-NET-999999-FW-000169 | SV-49100r1_rule | Medium |
| Description |
|---|
| Allowing traffic through the firewall without inspection creates a direct connection between the host in the private network and a host on the outside. This bypasses security measures and places the network and destination endpoint at a greater risk of exploitation. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45587r1_chk ) |
|---|
| Review the firewall configuration and verify both outbound and inbound traffic is inspected for the following: - Protocol conformance, malformed packets, message length, and domain name integrity. - Query ID and port randomization for DNS query traffic must be enabled. If the firewall implementation does not inspect inbound and outbound DNS traffic for protocol conformance, this is a finding. |
| Fix Text (F-42264r1_fix) |
|---|
| Configure the firewall implementation with a DNS proxy. If the firewall implementation does not have proxy capability, configure the firewall to meet the minimum content, protocol, and flow control inspection as follows: - Inspect for protocol conformance, malformed packets, message length, and domain name integrity. - Enable query ID and port randomization for DNS query traffic. |