Check: DNS0450
BIND DNS STIG:
DNS0450
(in version v4 r1.2)
Title
Dynamic updates are not cryptographically authenticated. (Cat I impact)
Discussion
The dynamic update capability has considerable appeal in an environment in which IP addresses change so frequently that it would be unacceptably burdensome or expensive to dedicate the time of a DNS database administrator to this function. This condition would likely be met at sites that rely on the Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to client devices such as workstations, laptops, and IP telephones. It would also apply to sites that utilize frequently changing service (SRV) records. On the other hand, dynamic updates can pose a security risk if the proper security controls are not implemented. When dynamic updates are permitted without any mitigating controls, a host with network access to the name server can modify any zone record with an appropriately crafted dynamic update request. The solution is to require cryptographic authentication of all dynamic update requests, but not all DNS software supports this functionality.
Check Content
BIND Instruction: The reviewer should review the configuration files and check each zone statement for the presence of the allow-update phrase, which enables cryptographically authenticated dynamic updates: The reviewer should identify the allow-update phrase. The following example disables dynamic updates: allow-update {none;}; In addition, the absence of the allow-update clause will deny updates by default. If dynamic updates are not disabled, as shown in the above example, they must be cryptographically authenticated as shown in the below example. The following example demonstrates cryptographically authenticated dynamic updates: allow-update {key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil; }; If dynamic updates are not disabled or cryptographically authenticated, then this is a finding. Windows 2000/2003 DNS Instruction: In the presence of the reviewer, the SA must review the “Properties” dialog box, select the “General” tab, and check to see if dynamic updates are allowed. If dynamic updates are enabled, ensure that “Only secure updates” has been selected. If this is not the case, then this is a finding.
Fix Text
For BIND implementations, the DNS software administrator must ensure that each zone statement in named.conf contains the phrase allow update{none;}; to disable dynamic updates or allow-update {key ks1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil;}; (this is an example key name) to encrypt dynamic updates. For Windows 2000 DNS, disable dynamic updates or if dynamic updates are allowed via the General tab within the Properties dialog box, the DNS software administrator should select Only secure updates. In cases in which the name server is not running BIND or Windows 2000 DNS, the DNS software administrator must determine how to disable dynamic updates or encrypt them. If this is not possible, then the product must be replaced as soon as it is feasible to do so.
Additional Identifiers
Rule ID: SV-4481r2_rule
Vulnerability ID: V-4481
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |