The DNS server implementation must require devices to re-authenticate for each zone transfer and dynamic update request connection attempt.

From Domain Name System (DNS) Security Requirements Guide

Part of SRG-APP-000390-DNS-000048

Associated with: CCI-002039

SV-69103r1_rule The DNS server implementation must require devices to re-authenticate for each zone transfer and dynamic update request connection attempt.

Vulnerability discussion

Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of devices, including, but not limited to, the following other situations:(i) When authenticators change;(ii) When roles change;(iii) When security categories of information systems change;(iv) After a fixed period of time; or(v) Periodically.DNS does perform server authentication when DNSSEC or TSIG/SIG(0) are used, but this authentication is transactional in nature (each transaction has its own authentication performed). So this requirement is applicable for every server-to-server transaction request.

Check content

Review the DNS server implementation configuration to determine if the DNS server requires devices to re-authenticate each time a zone transfer is initiated and each time a client makes a dynamic update request. If the DNS server does not require devices to re-authenticate each time a zone transfer is initiated and each time a client makes a dynamic update request, this is a finding. Note that the requirement should be inherently met if DNSSEC and TSIG/SIG(0) are enabled.

Fix text

Configure the DNS server to require devices to re-authenticate each time a zone transfer is initiated and each time a client makes a dynamic update request. Note that the requirement should be inherently met if DNSSEC and TSIG/SIG(0) are enabled.

Pro Tips

Powered by sagemincer