Version/Release Published Filters Downloads Update
V4R1 2015-12-29      
Update existing CKLs to this version of the STIG
The CISCO CSS DNS Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-4467r2_rule DNS0225 LOW Record owners will validate their zones no less than annually. The DNS database administrator will remove all zone records that have not been validated in over a year. If zone information has not been validated in over a year, then there is no assurance that it is still valid. If invalid records are in a zone, then an adversary could potentially use their existence for improper purposes. An SOP detailing this process can resolve this requirement. Information Assurance OfficerECSC-1
SV-4469r3_rule DNS0235 LOW Zone-spanning CNAME records, that point to a zone with lesser security, are active for more than six months. The use of CNAME records for exercises, tests or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack the zone in which the alias is defined and the zone authoritative for the aliases canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounding the vulnerability.System AdministratorECSC-1
SV-4506r1_rule DNS0900 LOW The shared secret in the APP session(s) was not a randomly generated 32 character text string. The core requirements related to zone transfers are that an authoritative name server transfers zone information only to designated zone partners and that name servers only accept zone data when it is cryptographically authenticated. CSS APP provides means to designate which devices it can share zone data and to authenticate those transactions. CSS devices can define their peers using IP addresses and authenticate them using Challenge Handshake Authentication Protocol (CHAP) with a shared secret. This setup also can be supplemented with MD5 hashing encryption. While this configuration does not provide the equivalent strength of cryptographic authentication as BINDs TSIG HMAC-MD5, it does provide a satisfactory level of information assurance when CSS DNS operates within a trusted network environment.System AdministratorDCNR-1
SV-4507r1_rule DNS0905 MEDIUM The Cisco CSS DNS is utilized to host the organizations authoritative records and DISA Computing Services does not support that host in its domain and associated high-availability server infrastructure. The primary security concern with regard to the type of delegation discussed is that to implement this approach, an organization would have to migrate its authoritative records from a well-known DNS implementation with proven, tested security controls to a relatively new DNS implementation without similar controls. Therefore, this migration should only occur when the performance and availability advantages of CSS significantly outweigh the increased residual security risk of using a less mature technology.System AdministratorECSC-1
SV-4508r1_rule DNS0910 LOW Zones are delegated with the CSS DNS. Although it is technically possible to delegate zones within CSS DNS, there is almost never a rationale to do so because such delegation could be achieved as easily with BIND, which offers security features not present in CSS DNS. Moreover, the performance enhancing features of CSS typically would not apply to name server records because these records are obtained easily and quickly across the wide area without significant impact on a users experienceInformation Assurance OfficerECSC-1
SV-4509r1_rule DNS0920 LOW The CSS DNS does not transmit APP session data over an out-of-band network if one is available. One can also limit APP communication to an out of band network, which would make it considerably more difficult for adversaries to spoof the addresses of peers or hijack APP sessions.System AdministratorECSC-1
SV-4510r1_rule DNS0925 MEDIUM Forwarders are not disabled on the CSS DNS. CSS DNS is not vulnerable to attacks associated with recursion because it does not support recursion, but does offer a forwarder feature that sends un-resolvable or unsupported requests to another name server. This feature poses a risk because the forwarder feature merely redirects potential attacks to another name server.System AdministratorECSC-1
SV-4512r1_rule DNS0915 HIGH CSS DNS does not cryptographically authenticate APP sessions. The risk to the CSS DNS in this situation is the CSS DNS peers do not authenticate each other, the sending and receiving of APP session data and peer communication may be with an adversary rather than the intended peer, thereby sending sensitive network architecture data and receiving ill intended zone data. To protect against this possibility, the CSS DNS peers must cryptographically authenticate each other.System AdministratorDCNR-1
SV-15513r1_rule DNS4600 LOW The DNS administrator will ensure non-routeable IPv6 link-local scope addresses are not configured in any zone. Such addresses begin with the prefixes of “FE8”, “FE9”, “FEA”, or “FEB”. IPv6 link local scope addresses are not globally routable and must not be configured in any DNS zone. Similar to RFC1918, addresses, if a link-local scope address is inserted into a zone provided to clients, most routers will not forward this traffic beyond the local subnet.System AdministratorOtherECSC-1
SV-15514r1_rule DNS4610 LOW AAAA addresses are configured on a host that is not IPv6 aware. DNS is only responsible for resolving a domain name to an ip address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. With this in mind, a denial of service could easily be implemented for an application that is not IPv6 aware. When the application receives an i.p. address in hexadecimal, it is up to the application/operating system to decide how to handle the response. Combining both IPv6 and IPv4 records into the same domain can lead to application problems that are beyond the scope of the DNS administrator.OtherECSC-1