Free DISA STIG and SRG Library | Vaulted

V-4510

Forwarders are not disabled on the CSS DNS.

Finding ID
DNS0925
Rule ID
SV-4510r1_rule
Severity
Cat II
CCE
(None)
Group Title
Forwarders are not disabled on the CSS DNS.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

CSS DNS is not vulnerable to attacks associated with recursion because it does not support recursion, but does offer a forwarder feature that sends un-resolvable or unsupported requests to another name server. This feature poses a risk because the forwarder feature merely redirects potential attacks to another name server.

Fix Text

The CSS DNS administrator should disable forwarders by entering the following command while in global configuration mode: no dns-server forwarder primary (if a primary) or no dns-server forwarder secondary (if a secondary).

Check Content

In the presence of the reviewer, the CSS DNS administrator should enter the following command while in global configuration mode: show dns-server forwarder Confirm the DNS server forwarder primary and DNS server forwarder secondary are “Not Configured.” If either of these is configured, then this is a finding.

Responsibility

System Administrator

IA Controls

ECSC-1