For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
An XCCDF Rule
Description
<VulnDiscussion>Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. External clients need to receive RRs that pertain only to public services (public Web server, mail server, etc.) Internal clients need to receive RRs pertaining to public services as well as internal hosts. The zone information that serves the RRs on both the inside and the outside of a firewall should be split into different physical files for these two types of clients (one file for external clients and one file for internal clients).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-205236r961863_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Remove any RRs listed in the internal name server configuration which resolve for external hosts and remove any RRs listed in the external name server configuration which resolve to internal hosts.
For hosts intended to be accessed by both internal and external clients, configure unique IP addresses in each of the internal and external name servers, respective to their location. The perimeter firewall, or other routing device, should handle the Network Address Translation to the true IP address of the destination.