Domain Name System (DNS) Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
<VulnDiscussion>If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely aff...Rule Medium Severity -
SRG-APP-000219
<GroupDescription></GroupDescription>Group -
The DNS implementation must protect the authenticity of communications sessions for queries.
<VulnDiscussion>The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is ...Rule Medium Severity -
SRG-APP-000225
<GroupDescription></GroupDescription>Group -
The DNS server implementation must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
<VulnDiscussion>Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized acces...Rule Medium Severity -
SRG-APP-000226
<GroupDescription></GroupDescription>Group -
In the event of a system failure, the DNS server implementation must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
<VulnDiscussion>Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Fa...Rule Medium Severity -
SRG-APP-000231
<GroupDescription></GroupDescription>Group -
The DNS server implementation must protect the confidentiality and integrity of secret/private cryptographic keys at rest and the integrity of DNS information at rest.
<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device within an organizatio...Rule Medium Severity -
SRG-APP-000243
<GroupDescription></GroupDescription>Group -
The DNS server implementation must strongly bind the identity of the DNS server with the DNS information.
<VulnDiscussion>Weakly bound credentials can be modified without invalidating the credential; therefore, non-repudiation can be violated. Th...Rule Medium Severity -
SRG-APP-000348
<GroupDescription></GroupDescription>Group -
The DNS server implementation must prevent unauthorized and unintended information transfer via shared system resources.
<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of infor...Rule Medium Severity -
SRG-APP-000246
<GroupDescription></GroupDescription>Group -
The DNS server implementation must restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.
<VulnDiscussion>A DoS is a condition where a resource is not available for legitimate users. When this occurs, the organization either cannot...Rule Medium Severity -
SRG-APP-000247
<GroupDescription></GroupDescription>Group -
The DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
<VulnDiscussion>A DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot ...Rule Medium Severity -
SRG-APP-000251
<GroupDescription></GroupDescription>Group -
The DNS server implementation must check the validity of all data inputs except those specifically identified by the organization.
<VulnDiscussion>Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application ...Rule Medium Severity -
SRG-APP-000268
<GroupDescription></GroupDescription>Group -
SRG-APP-000421
<GroupDescription></GroupDescription>Group -
The DNS server implementation must, when a component failure is detected, activate a notification to the system administrator.
<VulnDiscussion>Predictable failure prevention requires organizational planning to address system failure issues. If components key to mainta...Rule Medium Severity -
SRG-APP-000275
<GroupDescription></GroupDescription>Group -
The DNS server implementation must be configured to generate audit records for failed security verification tests so that the ISSO and ISSM can be notified of the failures.
<VulnDiscussion>Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing t...Rule Medium Severity -
SRG-APP-000333
<GroupDescription></GroupDescription>Group -
The DNS Name Server software must be configured to refuse queries for its version information.
<VulnDiscussion>Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in...Rule Medium Severity -
SRG-APP-000333
<GroupDescription></GroupDescription>Group -
The HINFO, RP, TXT and LOC RR types must not be used in the zone SOA.
<VulnDiscussion>There are several types of RRs in the DNS that are meant to convey information to humans and applications about the network, ...Rule Medium Severity -
SRG-APP-000347
<GroupDescription></GroupDescription>Group -
The DNS server implementation must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
<VulnDiscussion>Without a means for identifying the individual that produced the information, the information cannot be relied upon. Identify...Rule Medium Severity -
SRG-APP-000349
<GroupDescription></GroupDescription>Group -
The DNS server implementation must validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
<VulnDiscussion>Validation of the binding of the information prevents the modification of information between production and review. The vali...Rule Medium Severity -
SRG-APP-000350
<GroupDescription></GroupDescription>Group -
In the event of an error when validating the binding of another DNS servers identity to the DNS information, the DNS server implementation must log the event and send notification to the DNS administrator.
<VulnDiscussion>Failing to act on the validation errors may result in the use of invalid, corrupted, or compromised information. The validati...Rule Medium Severity -
SRG-APP-000383
<GroupDescription></GroupDescription>Group -
The DNS implementation must prohibit recursion on authoritative name servers.
<VulnDiscussion>A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the ...Rule Medium Severity -
SRG-APP-000390
<GroupDescription></GroupDescription>Group -
The DNS server implementation must require devices to re-authenticate for each zone transfer and dynamic update request connection attempt.
<VulnDiscussion>Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity...Rule Medium Severity -
SRG-APP-000394
<GroupDescription></GroupDescription>Group -
The DNS server implementation must authenticate the other DNS server before responding to a server-to-server transaction.
<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. D...Rule Medium Severity -
SRG-APP-000395
<GroupDescription></GroupDescription>Group -
The DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.
<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. B...Rule Medium Severity -
SRG-APP-000401
<GroupDescription></GroupDescription>Group -
The DNS server implementation, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
<VulnDiscussion>Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer autho...Rule Medium Severity -
SRG-APP-000420
<GroupDescription></GroupDescription>Group -
A DNS server implementation must provide data origin artifacts for internal name/address resolution queries.
<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. ...Rule Medium Severity -
A DNS server implementation must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.
<VulnDiscussion>If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it m...Rule Medium Severity -
SRG-APP-000426
<GroupDescription></GroupDescription>Group -
A DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries.
<VulnDiscussion>The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. ...Rule Medium Severity -
SRG-APP-000422
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.