III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000516-DNS-000099
Group -
The permissions assigned to the core BIND 9.x server files must be set to utilize the least privilege possible.
Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in whic...Rule Medium Severity -
SRG-APP-000516-DNS-000091
Group -
On a BIND 9.x server for zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. External clients need to receive RRs that pertain only to public servic...Rule Medium Severity -
SRG-APP-000516-DNS-000092
Group -
On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external ...Rule Medium Severity -
SRG-APP-000516-DNS-000093
Group -
On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external ...Rule Medium Severity -
SRG-APP-000516-DNS-000101
Group -
A BIND 9.x server implementation must implement internal/external role separation.
DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address re...Rule High Severity -
SRG-APP-000516-DNS-000108
Group -
On the BIND 9.x server the IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
A hidden master authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. All of the name servers that do appear in the zone database a...Rule Medium Severity -
SRG-APP-000516-DNS-000500
Group -
A BIND 9.x implementation operating in a split DNS configuration must be approved by the organizations Authorizing Official.
BIND 9.x has implemented an option to use "view" statements to allow for split DNS architecture to be configured on a single name server. If the split DNS architecture is improperly configured th...Rule High Severity -
SRG-APP-000516-DNS-000111
Group -
On the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be owned by root.
The private ZSK key must be protected from unauthorized access. This strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic...Rule Medium Severity -
SRG-APP-000516-DNS-000111
Group -
On the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be group owned by root.
The private ZSK key must be protected from unauthorized access. This strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic...Rule Medium Severity -
SRG-APP-000215-DNS-000003
Group -
A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies.
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, ...Rule Medium Severity -
SRG-APP-000516-DNS-000078
Group -
A BIND 9.x server validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time durin...Rule Medium Severity -
SRG-APP-000516-DNS-000084
Group -
A BIND 9.x server NSEC3 must be used for all internal DNS zones.
To ensure that RRs associated with a query are really missing in a zone file and have not been removed in transit, the DNSSEC mechanism provides a means for authenticating the nonexistence of an RR...Rule Medium Severity -
SRG-APP-000516-DNS-000085
Group -
Every NS record in a zone file on a BIND 9.x server must point to an active name server and that name server must be authoritative for the domain specified in that record.
Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly speci...Rule Medium Severity -
SRG-APP-000516-DNS-000087
Group -
On a BIND 9.x server all authoritative name servers for a zone must be located on different network segments.
Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on diffe...Rule Medium Severity -
SRG-APP-000516-DNS-000088
Group -
On a BIND 9.x server all authoritative name servers for a zone must have the same version of zone information.
It is important to maintain the integrity of a zone file. The serial number of the SOA record is used to indicate to secondary name server that a change to the zone has occurred and a zone transfer...Rule Medium Severity -
SRG-APP-000516-DNS-000102
Group -
On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.
All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to ...Rule Low Severity -
SRG-APP-000516-DNS-000102
Group -
On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.
A potential vulnerability of DNS is that an attacker can poison a name servers cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that...Rule Low Severity -
SRG-APP-000516-DNS-000113
Group -
On the BIND 9.x server a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.
If a name server were able to claim authority for a resource record in a domain for which it was not authoritative, this would pose a security risk. In this environment, an adversary could use illi...Rule Medium Severity -
SRG-APP-000516-DNS-000114
Group -
On the BIND 9.x server CNAME records must not point to a zone with lesser security for more than six months.
The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversar...Rule Low Severity -
SRG-APP-000516-DNS-000500
Group -
The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government.
If remote servers to which DoD DNS servers send queries are controlled by entities outside of the U.S. Government the possibility of a DNS attack is increased. The Enterprise Recursive Service (E...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.