STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

The DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.

DISA Rule

SV-69067r1_rule

Vulnerability Number

V-54821

Group Title

SRG-APP-000215-DNS-000003

Rule Version

SRG-APP-000215-DNS-000003

Severity

CAT II

CCI(s)

CCI-001663 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

Weight

Fix Recommendation

Configure the DNS server to enforce approved authorizations for controlling the information flow by applying DNSSEC and TSIG signing practices to the DNS implementation.

Check Contents

Review the DNS server implementation configuration to determine if the DNS server enforces approved authorizations for controlling the information flow by using DNSSEC and TSIG signing practices that restrict zone transfers between DNS servers, and dynamic updates from DNS clients to the master name server, to digitally signed traffic.

If the DNS server does not enforce approved authorizations for controlling the information flow by using DNSSEC and TSIG signing practices, restricting zone transfers between DNS servers and dynamic updates from DNS clients to the master name server to digitally signed traffic, this is a finding.

The DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments