STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.

DISA Rule

SV-69199r1_rule

Vulnerability Number

V-54953

Group Title

SRG-APP-000516-DNS-000108

Rule Version

SRG-APP-000516-DNS-000108

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Remove, from all zones' configuration files, any NS RRs for hidden name servers.

Check Contents

Check the DNS documentation to determine if a hidden master authoritative name server is being used. If a hidden master authoritative name server is being used, check the NS records for all zones for which that hidden name server is authoritative and confirm there is not any NS record for that hidden name server.

If any zone for which a hidden name server is authoritative has an NS record for that hidden name server, this is a finding.
If the DNS implementation does not include any hidden name servers, this is not applicable.

Vulnerability Number

V-54953

Documentable

False

Rule Version

SRG-APP-000516-DNS-000108

Severity Override Guidance

Check the DNS documentation to determine if a hidden master authoritative name server is being used. If a hidden master authoritative name server is being used, check the NS records for all zones for which that hidden name server is authoritative and confirm there is not any NS record for that hidden name server.

If any zone for which a hidden name server is authoritative has an NS record for that hidden name server, this is a finding.
If the DNS implementation does not include any hidden name servers, this is not applicable.

Check Content Reference

M

Target Key

2355

Comments