Title

The contents of zones are not reviewed at least annually. (Cat III impact)

Discussion

DNS administrators must review the contents of their zones at least as often as annually for content or aggregation of content that may provide an adversary information that can potentially compromise operational security. This specifically includes names that provide an outsider some indication as to the function of the referenced system unless the function is obvious in the context of other standard DNS information (e.g., naming a DNS server as dns.zone.mil or an SMTP mail server as mail.zone.mil is not an OPSEC violation given that the functions of these servers are easily identifiable during DNS queries). The DNS administrator is the final adjudicator of the sensitivity of DNS information, in concert with the OPSEC processes of the organization, but should make a conscious decision to include such information based on operational need. NIST guidance includes specific guidelines that HINFO, RP and LOC records not be included in the zone.

Check Content

Interview the DNS administrator and ask if there is a procedure in place to review and validate the contents of the zones he/she is responsible for, at least annually.

Fix Text

The IAO will ensure the DNS administrator reviews the contents of the zones they are responsible for, at least annually.

Additional Identifiers

Rule ID: SV-13621r1_rule

Vulnerability ID: V-13053

Group Title: Contents of zones are not reviewed.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.