STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.

DISA Rule

SV-69181r1_rule

Vulnerability Number

V-54935

Group Title

SRG-APP-000516-DNS-000092

Rule Version

SRG-APP-000516-DNS-000092

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the DNS configuration on internal name servers to only accept queries from internal resolvers.
Configure DNS configuration on external name servers to only accept queries from external resolvers.
Configure network perimeter devices to block query resolution traffic from external resolvers to internal name servers and from internal resolvers to external name servers.

Check Contents

Review the DNS implementation and ensure the external DNS name servers are not reachable by internal resolvers.

If the external DNS name servers can be reached by internal resolvers, this is a finding.

In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments