STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

All authoritative name servers for a zone must be located on different network segments.

DISA Rule

SV-69173r1_rule

Vulnerability Number

V-54927

Group Title

SRG-APP-000516-DNS-000087

Rule Version

SRG-APP-000516-DNS-000087

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Locate all visible (non-hidden) name servers to be on different network segments.

Check Contents

Review the DNS configuration files to determine all of the NS records for each zone. Based upon the NS records for each zone, determine location of each of the name servers. Verify all authoritative name servers are located on different network segments.

If two authoritative name servers are found on the same network segment, and one of those two is hidden, this is not a finding.

If any authoritative name servers are located on the same network segment as another authoritative name server, this is a finding.

Vulnerability Number

V-54927

Documentable

False

Rule Version

SRG-APP-000516-DNS-000087

Severity Override Guidance

Review the DNS configuration files to determine all of the NS records for each zone. Based upon the NS records for each zone, determine location of each of the name servers. Verify all authoritative name servers are located on different network segments.

If two authoritative name servers are found on the same network segment, and one of those two is hidden, this is not a finding.

If any authoritative name servers are located on the same network segment as another authoritative name server, this is a finding.

Check Content Reference

M

Target Key

2355

Comments