An error occurred:

DNS Policy Version Comparison

DNS Policy

Comparison

There are 1 differences between versions v4 r1.2 (Oct. 28, 2016) (the "left" version) and v4 r1.22 (April 27, 2018) (the "right" version).

Check DNS0120 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

A list of personnel authorized to administer each zone and name server is not maintained.

Check Content

If Interview the site POC cannot produce a list of personnel authorized ISSO and ask for the DNS server’s documented procedures and processes. Verify the documented procedures and processes explicitly document the roles and responsibilities for the DNS server management. These documented roles will be used to administer each zone and name validate access controls in respective DNS technology STIGs. In some environments, the SA is also the DNS manager. In such case, the roles should still be documented. If the organization does not have the DNS server, server then roles documented, this is a finding.

Discussion

If an organization does not document who is responsible for the DNS function, then there is a significant potential that unauthorized individuals will obtain privileged access to name servers. During a security breach, it will be difficult to assign accountability for improper transactions if it is not known who is responsible for this function. function. The roles of the SA and the DNS administrator or DNS manager are generally understood but are often used interchangeably. The SA is responsible for the OS, while the DNS administrator or DNS manager usually manages the DNS zones. In some cases, the SA is also the DNS administrator/DNS manager, which is why guidance tends to be written in a certain fashion. The application development group should refer to the supporting organization for the application when application issues arise from meeting DNS server requirements.

Fix

The IAO ISSO must create and maintain a list of authorized DNS administrators for each zone and name server under the IAOs ISSOs scope of responsibility.