Title

The DNS software administrator has not removed the root hints file on an authoritative name server in order for it to resolve only those records for which it is authoritative, and ensure that all other queries are refused. (Cat III impact)

Discussion

A potential vulnerability of DNS is that an attacker can poison a name servers cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. The DNS architecture needs to maintain one name server whose zone records are correct and the cache is not poisoned, in this effort the authoritative name server may not forward queries, one of the ways to prevent this, the root hints file is to be deleted. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a non-caching server (as recommended), they can either be configured to return a referral to the root servers or they can be configured to refuse to answer the query. The requirement is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server, and allows it to spend more of its resources doing what its intended purpose is; answering authoritatively for its zone.

Check Content

BIND Instruction: This check only applies if the name server is an authoritative name server. Ensure there is not a root hints on the name server. Common names for the root hints file are root.hints, named.cache, or db.cache. The name is configurable within the named.conf file. Windows DNS This check only applies if the name server is an authoritative name server. For a Windows 2000/2003 DNS configuration: Select the “Root Hints” Tab of the “DNS Server Properties” dialog box, ensure the root name server entries have been removed. To remove entries, right click the entry and click the “Remove” button.

Fix Text

The SA should remove the root hints file. For a BIND installation, the SA should remove the root hints file. Common names for the root hints file are root.hints, named.cache, or db.cache. The name is configurable within the named.conf file. For a Windows 2000/2003 DNS configuration, the SA should: Select the Root Hints Tab of the DNS Server Properties dialog box, to remove entries, right click the entry and click the Remove button.

Additional Identifiers

Rule ID: SV-4492r2_rule

Vulnerability ID: V-4492

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.