Check: DNS4610
BIND DNS STIG:
DNS4610
(in version v4 r1.2)
Title
AAAA addresses are configured on a host that is not IPv6 aware. (Cat III impact)
Discussion
DNS is only responsible for resolving a domain name to an ip address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. With this in mind, a denial of service could easily be implemented for an application that is not IPv6 aware. When the application receives an i.p. address in hexadecimal, it is up to the application/operating system to decide how to handle the response. Combining both IPv6 and IPv4 records into the same domain can lead to application problems that are beyond the scope of the DNS administrator.
Check Content
BIND • Instruction: Examine all zone statements contained in the named.conf file for a line containing the word file designating the actual file that stores the zones records. Examine the file that contains zones records and verify IPv6 and IPv4 resource records are not in the same file. If the records are found in the same file, then this is a finding. Windows DNS Instruction: From the Windows task bar, select Start, Programs/All Programs, Administrative Tools, DNS to open the DNS management console. Expand the Forward Lookup Zones folder. Expand each zone folder and examine the host record entries. The third column titled Data will display the IP. Verify this column does not contain both IPv4 and IPv6 addresses.
Fix Text
The SA should remove the IPv6 records from the IPv4 zone and create a second zone with all IPv6 records.
Additional Identifiers
Rule ID: SV-15514r1_rule
Vulnerability ID: V-14757
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |