The platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.

From Domain Name System (DNS) Security Requirements Guide

Associated with: CCI-000366

SV-69203r1_rule The platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.

Vulnerability discussion

OS configuration practices as issued by the US Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD), based on identified vulnerabilities that pertain to the application profile into which the name server software fits, should be always followed. In particular, hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts should be 53/udp and 53/tcp. Outgoing DNS messages should be sent from a random port to minimize the risk of an attacker guessing the outgoing message port and sending forged replies.

Check content

Review the DNS configuration. Determine if a static port is being used to send outgoing DNS messages or whether it is configured to use a random port. If the DNS configuration specifies a static port to be used for outgoing DNS messages rather than a random port, this is a finding.

Fix text

Configure the DNS server to use a random port for outgoing DNS messages.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.