STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

All authoritative name servers for a zone must be geographically disbursed.

DISA Rule

SV-69213r1_rule

Vulnerability Number

V-54967

Group Title

SRG-APP-000218-DNS-000027

Rule Version

SRG-APP-000218-DNS-000027

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Physically move name servers so that they are geographically at different locations. If moving a name server is not feasible, one of the co-located name servers could be reconfigured to be hidden.

Check Contents

Review the NS records for each zone hosted and confirm that each authoritative name server is located at a different physical location than the remaining name servers.

If the master, or primary, authoritative name server is configured to be "hidden", it will not have an NS record. One other name server may be at the same physical location as the hidden name server.

If all name servers, for which NS records are listed, are not physically at different locations, this is a finding.

Vulnerability Number

V-54967

Documentable

False

Rule Version

SRG-APP-000218-DNS-000027

Severity Override Guidance

Review the NS records for each zone hosted and confirm that each authoritative name server is located at a different physical location than the remaining name servers.

If the master, or primary, authoritative name server is configured to be "hidden", it will not have an NS record. One other name server may be at the same physical location as the hidden name server.

If all name servers, for which NS records are listed, are not physically at different locations, this is a finding.

Check Content Reference

M

Target Key

2355

Comments