Title

The Cisco CSS DNS is utilized to host the organizations authoritative records and DISA Computing Services does not support that host in its csd.disa.mil domain and associated high-availability server infrastructure. (Cat II impact)

Discussion

The primary security concern with regard to the type of delegation discussed is that to implement this approach, an organization would have to migrate its authoritative records from a well-known DNS implementation with proven, tested security controls to a relatively new DNS implementation without similar controls. Therefore, this migration should only occur when the performance and availability advantages of CSS significantly outweigh the increased residual security risk of using a less mature technology.

Check Content

Determine whether the CSS DNS device is used as an authoritative name server. If the CSS DNS does maintain authoritative records, then this is a finding. The exception to this is if this CSS DNS device supports authoritative records for a host(s) within the csd.disa.mil domain, which is not a finding. Instruction: In the presence of the reviewer, the CSS DNS administrator should enter the following command while in global configuration mode: show dns-record statistics If any of the hosts have domain names outside of the csd.disa.mil domain, then this is a finding.

Fix Text

The CSS DSN administrator should use the following command while in global command mode; no dns-record, to remove domain records that do not support hosts in the csd.disa.mil domain.

Additional Identifiers

Rule ID: SV-4507r1_rule

Vulnerability ID: V-4507

Group Title: The Cisco CSS DNS hosts authoritative records.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.