The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA.

From Microsoft Windows 2008 Server Domain Name System Security Technical Implementation Guide

Part of SRG-APP-000333-DNS-000107

Associated with: CCI-001312

SV-83229r1_rule The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA.

Vulnerability discussion

There are several types of RRs in the DNS that are meant to convey information to humans and applications about the network, hosts, or services. These RRs include the Responsible Person (RP) record, the Host Information (HINFO) record, the Location (LOC) record, and the catch-all text string resource record (TXT) [RFC1035]. Although these record types are meant to provide information to users in good faith, they also allow attackers to gain knowledge about network hosts before attempting to exploit them. For example, an attacker may query for HINFO records, looking for hosts that list an OS or platform known to have exploits.Therefore, great care should be taken before including these record types in a zone. In fact, they are best left out altogether.More careful consideration should be taken with the TXT resource record type. A DNS administrator will have to decide if the data contained in a TXT RR constitutes an information leak or is a necessary piece of information. For example, several authenticated email technologies use TXT RR's to store email sender policy information such as valid email senders for a domain. These judgments will have to be made on a case-by-case basis.A DNS administrator should take care when including HINFO, RP, TXT, LOC, or other RR types that could divulge information that would be useful to an attacker or the external view of a zone if using split DNS.RRs such as HINFO and TXT provide information about software name and versions (e.g., for resources such as Web servers and mail servers) that will enable the well-equipped attacker to exploit the known vulnerabilities in those software versions and launch attacks against those resources.

Check content

Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. From the expanded list, click to select the zone. Review the zone's Resource Records (RR) and verify HINFO, RP, and LOC RRs are not used. If TXT RRs are used, they must not reveal any information about the organization which could be used for malicious purposes. If there are any HINFO, RP, LOC, or revealing TXT RRs in any zone hosted by the DNS Server, this is a finding.

Fix text

Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. From the expanded list, click to select the zone. Remove all HINFO, RP, TXT, and LOC RRs from all zones hosted by the DNS Server.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer