Check: SRG-APP-000333-DNS-000104
Domain Name System (DNS) SRG:
SRG-APP-000333-DNS-000104
(in versions v3 r2 through v2 r4)
Title
The DNS Name Server software must be configured to refuse queries for its version information. (Cat II impact)
Discussion
Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. Of course, these vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. Thus, it makes good business sense to run the latest version of name server software because theoretically it is the safest version. In some installations, it may not be possible to switch over to the latest version of name server software immediately. If the version of the name server software is revealed in queries, this information may be used by attackers who are looking for a specific version of the software which has a discovered weakness. To prevent information about which version of name server software is running on a system, name servers should be configured to refuse queries for its version information.
Check Content
Review the DNS configuration files. Verify the DNS name server is explicitly configured to refuse queries asking for its version information. If the name server is not configured to explicitly refuse queries asking for its version information, this is a finding.
Fix Text
Configure the name server to refuse queries for its version information.
Additional Identifiers
Rule ID: SV-205194r879710_rule
Vulnerability ID: V-205194
Group Title: SRG-APP-000333
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002201 |
The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions. |
Controls
Number | Title |
---|---|
AC-4 (12) |
Data Type Identifiers |