Check: DNS0400
DNS Policy:
DNS0400
(in versions v4 r1.22 through v4 r1.2)
Title
The name server software on production name servers is not BIND, Windows 2003 or later DNS, or alternatives with equivalent security functionality and support, configured in a manner to satisfy the general security requirements listed in the STIG. (Cat II impact)
Discussion
If an organization runs DNS name server software other than BIND, Windows 2003 DNS or later, or an equivalent alternative, such as Infoblox running BIND; it cannot benefit from assurance testing of those implementations of DNS. As a result, there may be unknown vulnerabilities associated with the alternative product for which there are no compensating controls. Moreover, there is no detailed security implementation guidance for other name server implementations, which makes it considerably harder to conduct reviews or self assessments. An incomplete review means that an organization operates at a lower level of assurance than could have been realized with one of the approved products.
Check Content
Review the DNS name server software on the platform to determine what DNS software is running. If the name server is running a DNS implementation other than ISC BIND, Windows 2003 or later DNS, or equivalent DNS dedicated device such as Infoblox, then this is a finding. Cisco CSS DNS is limited to only those hosts defined in the csd.disa.mil domain. CSS DNS is subject both to these general security requirements, where applicable, and the specific STIG guidance for this product.
Fix Text
Working with DNS software administrators and other appropriate technical personnel, the IAO should oversee a migration to an approved name server software.
Additional Identifiers
Rule ID: SV-13615r1_rule
Vulnerability ID: V-13047
Group Title: Incorrect name server software.
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |