STIGQter STIGQter: STIG Summary: Domain Name System (DNS) Security Requirements Guide Version: 2 Release: 4 Benchmark Date: 23 Oct 2015:

CNAME records must not point to a zone with lesser security for more than six months.

DISA Rule

SV-69211r1_rule

Vulnerability Number

V-54965

Group Title

SRG-APP-000516-DNS-000114

Rule Version

SRG-APP-000516-DNS-000114

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Remove any zone-spanning CNAME records that have been active for more than six months.

Check Contents

Review the DNS server's hosted zones and respective records. Within the zone statement will be a file option that will display the name of the zone file. The record type column will display CNAME. This is usually the third or fourth field in a record depending on whether the TTL value is utilized. Without a TTL value, the CNAME type will be in the third field; otherwise, it will display as the fourth field.

Review the zone files and the DNS zone record documentation to confirm that there are no CNAME records older than 6 months.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated (AO approval of use of a commercial cloud offering would satisfy this requirement).

If there are zone-spanning CNAME records older than 6 months and the CNAME records resolves to anything other than fully qualified domain name for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with a AO-approved and documented mission need, this is a finding.

Vulnerability Number

V-54965

Documentable

False

Rule Version

SRG-APP-000516-DNS-000114

Severity Override Guidance

Review the DNS server's hosted zones and respective records. Within the zone statement will be a file option that will display the name of the zone file. The record type column will display CNAME. This is usually the third or fourth field in a record depending on whether the TTL value is utilized. Without a TTL value, the CNAME type will be in the third field; otherwise, it will display as the fourth field.

Review the zone files and the DNS zone record documentation to confirm that there are no CNAME records older than 6 months.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated (AO approval of use of a commercial cloud offering would satisfy this requirement).

If there are zone-spanning CNAME records older than 6 months and the CNAME records resolves to anything other than fully qualified domain name for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with a AO-approved and documented mission need, this is a finding.

Check Content Reference

M

Target Key

2355

Comments