Check: DNS0480
BIND DNS STIG:
DNS0480
(in version v4 r1.2)
Title
A caching name server does not restrict recursive queries to only the IP addresses and IP address ranges of known supported clients. (Cat II impact)
Discussion
Any host that can query a resolving name server has the potential to poison the servers name cache or take advantage of other vulnerabilities that may be accessed through the query service. The best way to prevent this type of attack is to limit queries to internal hosts, which need to have this service available to them.
Check Content
BIND Instruction: This check is only applicable to caching name servers. Verify the allow-query and allow-recursion phrases are properly configured. The reviewer should identify the allow-query and allow-recursion phrases. It should look as follows: allow-query {trustworthy_hosts;}; allow-recursion {trustworthy_hosts;}; The name of the ACL does not need to be “trustworthy_hosts” but the name should match the ACL name defined earlier in named.conf for this purpose. If not, then this is a finding. The reviewer will also check for whether non-internal IP addresses appear in either the referenced ACL (e.g., trustworthy_hosts) or directly in the statements themselves. If non-internal IP addresses do appear, then this is a finding. Windows 2000/2003 DNS Instruction: Windows 2000/2003 DNS should not be deployed as a caching name server. Consequently, the use of forwarders and recursion is prohibited on Windows DNS. The reviewer will validate that the "Disable recursion" and the “Secure cache against pollution" on the “Advanced” tab of the name server properties are selected. Examine the “Advanced” tab of the DNS Server “Properties” dialog box. If “Disable recursion” and “Secure cache against pollution” is not checked, then this is a finding. The reviewer will also validate, if available, that the "Enable forwarders" on the “Forwarders” tab of the name server properties is not selected. Examine the “Forwarders” tab of the DNS Server “Properties” dialog box. If “Enable forwarders” is checked, then this is a finding. In cases in which the name server is not running BIND or Windows 2000/2003 DNS, the reviewer must still examine the configuration and its documentation to validate this requirement.
Fix Text
The DNS software administrator should configure the caching name server to accept recursive queries only from the IP addresses and address ranges of known supported. Configuration details for BIND and Windows DNS may be found in the DNS STIG.
Additional Identifiers
Rule ID: SV-4487r2_rule
Vulnerability ID: V-4487
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |