Configure Multiple DNS Servers in /etc/resolv.conf
An XCCDF Rule
Description
Determine whether the system is using local or DNS name resolution with the following command:
$ sudo grep hosts /etc/nsswitch.conf hosts: files dnsIf the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command:
$ sudo ls -al /etc/resolv.conf -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.confIf the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, then verify the following:
Multiple Domain Name System (DNS) Servers should be configured in
/etc/resolv.conf. This provides redundant name resolution services
in the event that a domain server crashes. To configure the system to contain
as least 2 DNS servers, add a corresponding nameserver
ip_address entry in /etc/resolv.conf for each DNS
server where ip_address is the IP address of a valid DNS server.
For example:
search example.com nameserver 192.168.0.1 nameserver 192.168.0.2
warning alert: Warning
This rule doesn't come with a remediation, the IP addresses of local authoritative name servers need to be added by the administrator.
Rationale
To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
- ID
- xccdf_org.ssgproject.content_rule_network_configure_name_resolution
- Severity
- Medium
- References
- Updated