Title

The DHCP client must not send dynamic DNS updates. (Cat II impact)

Discussion

Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed.

Check Content

If the "dhcp-client" package is not installed, this is not applicable. Verify the DHCP client is configured to not send dynamic DNS updates. Procedure: # rpm –q dhcp-client If DHCP client is found then issue following command to determine if the DHCP client sends dynamic DNS updates: # grep do-forward-updates /etc/dhclient.conf If the DHCP client is installed and the configuration file is not present, or contains do-forward-updates = “true”, then this is a finding

Fix Text

Edit or add the "/etc/dhclient.conf" file and add or edit the "do-forward-updates" setting to false. Procedure: # echo "do-forward-updates false;" >> /etc/dhclient.conf

Additional Identifiers

Rule ID: SV-45988r2_rule

Vulnerability ID: V-22549

Group Title: GEN007850

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.