STIGQter STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

The DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.

DISA Rule

SV-69067r1_rule

Vulnerability Number

V-54821

Group Title

SRG-APP-000215-DNS-000003

Rule Version

SRG-APP-000215-DNS-000003

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the DNS server to enforce approved authorizations for controlling the information flow by applying DNSSEC and TSIG signing practices to the DNS implementation.

Check Contents

Review the DNS server implementation configuration to determine if the DNS server enforces approved authorizations for controlling the information flow by using DNSSEC and TSIG signing practices that restrict zone transfers between DNS servers, and dynamic updates from DNS clients to the master name server, to digitally signed traffic.

If the DNS server does not enforce approved authorizations for controlling the information flow by using DNSSEC and TSIG signing practices, restricting zone transfers between DNS servers and dynamic updates from DNS clients to the master name server to digitally signed traffic, this is a finding.

Vulnerability Number

V-54821

Documentable

False

Rule Version

SRG-APP-000215-DNS-000003

Severity Override Guidance

Review the DNS server implementation configuration to determine if the DNS server enforces approved authorizations for controlling the information flow by using DNSSEC and TSIG signing practices that restrict zone transfers between DNS servers, and dynamic updates from DNS clients to the master name server, to digitally signed traffic.

If the DNS server does not enforce approved authorizations for controlling the information flow by using DNSSEC and TSIG signing practices, restricting zone transfers between DNS servers and dynamic updates from DNS clients to the master name server to digitally signed traffic, this is a finding.

Check Content Reference

M

Target Key

2355

Comments