For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.
An XCCDF Rule
Description
<VulnDiscussion>Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. External clients need to receive RRs that pertain only to public services (public web server, mail server, etc.) Internal clients need to receive RRs pertaining to public services as well as internal hosts. Organizations using dedicated internal systems and separate dedicated external systems are inherently more secure than using a single system accessed by both internal and external clients. DNS Views allow a single name server to provide different response data based on a client match list or Access Control List.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-233868r621666_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
1. Navigate to Data Management >> DNS >> Zones and review each zone.
2. Remove any RRs listed in the internal name server configuration (DNS view) that resolve for external hosts.
3. Remove any RRs listed in the external name server configuration (DNS view) that resolve to internal hosts.
4. For hosts intended to be accessed by both internal and external clients, configure unique IP addresses in each of the internal and external name servers, respective to their location.
5. The perimeter firewall, or other routing device, must be configured to perform Network Address Translation to the true IP address of the destination.