An error occurred:

Check: SRG-APP-000333-DNS-000107

Domain Name System (DNS) SRG: SRG-APP-000333-DNS-000107 (in versions v3 r2 through v2 r4)

Title

The HINFO, RP, TXT and LOC RR types must not be used in the zone SOA. (Cat II impact)

Discussion

There are several types of RRs in the DNS that are meant to convey information to humans and applications about the network, hosts, or services. These RRs include the Responsible Person (RP) record, the Host Information (HINFO) record, the Location (LOC) record, and the catch-all text string resource record (TXT) [RFC1035]. Although these record types are meant to provide information to users in good faith, they also allow attackers to gain knowledge about network hosts before attempting to exploit them. For example, an attacker may query for HINFO records, looking for hosts that list an OS or platform known to have exploits. Therefore, great care should be taken before including these record types in a zone. In fact, they are best left out altogether. More careful consideration should be taken with the TXT resource record type. A DNS administrator will have to decide if the data contained in a TXT RR constitutes an information leak or is a necessary piece of information. For example, several authenticated email technologies use TXT RR's to store email sender policy information such as valid email senders for a domain. These judgments will have to be made on a case-by-case basis. A DNS administrator should take care when including HINFO, RP, TXT, LOC, or other RR types that could divulge information that would be useful to an attacker or the external view of a zone if using split DNS. RRs such as HINFO and TXT provide information about software name and versions (e.g., for resources such as Web servers and mail servers) that will enable the well-equipped attacker to exploit the known vulnerabilities in those software versions and launch attacks against those resources.

Check Content

Review the DNS configuration files. Verify there are not any HINFO, RP, TXT, or LOC RR type RRs in the configuration. If there are any HINFO, RP, TXT or LOC RR type RRs in the configuration, this is a finding.

Fix Text

Configure the DNS configuration to not include any HINFO, RP, TXT, or LOC RR type RRs.

Additional Identifiers

Rule ID: SV-205195r879710_rule

Vulnerability ID: V-205195

Group Title: SRG-APP-000333

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002201

The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4 (12)

Data Type Identifiers