Check: DNS0240
BIND DNS STIG:
DNS0240
(in version v4 r1.2)
Title
The DNS database administrator has not ensured each NS record in a zone file points to an active name server authoritative for the domain specified in that record. (Cat I impact)
Discussion
Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of the adversary’s name server from a valid authoritative name server, one that need not be compromised for this attack to be successful. The list of slave servers must remain current within 72 hours of any changes to the zone architecture that would affect the list of slaves. If a slave server has been retired or is not operational but remains on the list, then an adversary might have a greater opportunity to impersonate that slave without detection, rather than if the slave were actually online. For example, the adversary may be able to spoof the retired slave’s IP address without an IP address conflict, which would likely not occur if the true slave were active.
Check Content
BIND The zone file location can be found by examining the named.conf and searching for the zone statement. Within the zone statement will be a file option that will display the name of the zone file. Review the zone files, and confirm with the DNS administrator that each NS record points to an active name server authoritative for the domain, it this is not the case, then this is a finding. Windows Open the DNS management snap in for the Administrative Tools menu. Expand the Forward Lookup Zones folder. Review the type column for each record to locate those with a type of Name Server (NS). Confirm with the DNS administrator that each NS record points to an active name server authoritative for the domain, it this is not the case, then this is a finding.
Fix Text
The DNS database administrator should remove any NS records in a zone file that do not point to an active name server authoritative for the domain specified in that record.
Additional Identifiers
Rule ID: SV-4470r2_rule
Vulnerability ID: V-4470
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |