Title

Hosts outside an enclave can directly query or request a zone transfer from a name server that resides on the internal network (i.e., not in a DMZ). (Cat II impact)

Discussion

If external hosts are able to query a name server on the internal network, then there is the potential that an external adversary can obtain information about internal hosts that could assist the adversary in a network attack. External hosts should never be able to learn about the internal network in this manner.

Check Content

Work with the Network administrator to determine whether external hosts are able to query a name server on the internal network. DNS runs on ports 53/TCP for zone transfers and 53/UDP for queries. These ports should be blocked at the firewall or router to internal DNS servers. If external hosts are able to query a name server on the internal network, then this is a finding.

Fix Text

Working with appropriate technical personnel, the IAO should establish firewall rules and/or router ACLs that prohibit access to the name server from external hosts.

Additional Identifiers

Rule ID: SV-13616r1_rule

Vulnerability ID: V-13048

Group Title: Hosts can directly query an inside name server.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.