Check: SRG-APP-000390-DNS-000048
Domain Name System (DNS) SRG:
SRG-APP-000390-DNS-000048
(in versions v3 r2 through v2 r4)
Title
The DNS server implementation must require devices to re-authenticate for each zone transfer and dynamic update request connection attempt. (Cat II impact)
Discussion
Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of devices, including, but not limited to, the following other situations: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) After a fixed period of time; or (v) Periodically. DNS does perform server authentication when DNSSEC or TSIG/SIG(0) are used, but this authentication is transactional in nature (each transaction has its own authentication performed). So this requirement is applicable for every server-to-server transaction request.
Check Content
Review the DNS server implementation configuration to determine if the DNS server requires devices to re-authenticate each time a zone transfer is initiated and each time a client makes a dynamic update request. If the DNS server does not require devices to re-authenticate each time a zone transfer is initiated and each time a client makes a dynamic update request, this is a finding. Note that the requirement should be inherently met if DNSSEC and TSIG/SIG(0) are enabled.
Fix Text
Configure the DNS server to require devices to re-authenticate each time a zone transfer is initiated and each time a client makes a dynamic update request. Note that the requirement should be inherently met if DNSSEC and TSIG/SIG(0) are enabled.
Additional Identifiers
Rule ID: SV-205202r879763_rule
Vulnerability ID: V-205202
Group Title: SRG-APP-000390
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002039 |
The organization requires devices to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. |
Controls
Number | Title |
---|---|
IA-11 |
Re-Authentication |