STIGQter STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Juniper SRX Services Gateway Firewall must not be configured as a DNS proxy since providing this network service is unrelated to the role as a Firewall.

DISA Rule

SV-214525r557389_rule

Vulnerability Number

V-214525

Group Title

SRG-NET-000131-ALG-000086

Rule Version

JUSX-AG-000085

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

First, remove the DNS stanza. Then re-enter the set security zones and interfaces command without the "dns" attribute. The exact command entered depends how the zone is configured with the authorized attributes, services, and options.

Examples:

[edit]
delete system services dns
set security zones security-zone <zone-name> interfaces <interface-name> host-inbound-traffic

Check Contents

Check both the zones and the interface stanza to ensure DNS proxy server services are not configured.

[edit}
show system services dns

If a stanza exists for DNS (e.g., forwarders option), this is a finding.

Vulnerability Number

V-214525

Documentable

False

Rule Version

JUSX-AG-000085

Severity Override Guidance

Check both the zones and the interface stanza to ensure DNS proxy server services are not configured.

[edit}
show system services dns

If a stanza exists for DNS (e.g., forwarders option), this is a finding.

Check Content Reference

M

Target Key

4004

Comments