An error occurred:

Check: DNS0482

BIND DNS STIG: DNS0482 (in version v4 r1.2)

Title

The forwarding configuration of DNS servers must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government. (Cat II impact)

Discussion

If remote servers to which DoD DNS servers send queries are controlled by entities outside of the U.S. Government the possibility of a DNS attack is increased. The Enterprise Recursive Service (ERS) provides the ability to apply enterprise-wide policy to all recursive DNS traffic that traverses the NIPRNet-to-Internet boundary. All recursive DNS servers on the NIPRNet must be configured to exclusively forward DNS traffic traversing NIPRNet-to-Internet boundary to the ERS anycast IPs. Organizations need to carefully configure any forwarding that is being used by their caching name servers. They should only configure "forwarding of all queries" to servers within the DoD. Systems configured to use domain-based forwarding should not forward queries for mission critical domains to any servers that are not under the control of the US Government.

Check Content

BIND This check applies to caching servers only. Review the named.conf file to validate that BIND is configured to forward all DNS traffic to the DISA Enterprise Recursive Service (ERS) anycast IP addresses (214.16.26.1, 214.27.166.1, 214.71.0.1). The global options section of the named.conf should contain the following: forward only; forwarders { 214.16.26.1; 214.27.166.1; 214.71.0.1; }; If the named.conf options are not set to forward queries only to the ERS anycast IPs, this is a finding. Some DNS servers are preconfigured, the defaults must be changed. Windows DNS: This check does not apply to Windows DNS servers as they should not be deployed as a caching name server. The use of forwarders is prohibited on Windows 2003 and 2008 DNS. Windows servers should not have any forwarding enabled. This can be configured from the client side stub resolver. However if this should change, Windows DNS servers will also be required to forward queries only to the ERS anycast IPs.

Fix Text

The SA will ensure the forwarding configuration of DNS prohibits forwarding of queries to any servers other than those defined by Enterprise Recursive Service (ERS).

Additional Identifiers

Rule ID: SV-13339r3_rule

Vulnerability ID: V-12774

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check