Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Interview the IAO to determine if there is a process and policy in place to ensure Host Based IDS is installed on all servers. Work with the reviewers to determine compliance. **This check applies to Enhanced Compliance Validation visits.
The IAO will ensure all servers employ HIDS, if technically feasible. This requirement may not pertain to legacy systems and cutting edge devices that do not yet have the capability. Documentation must exist from the vendor to approve any variance from this requirement.
Ask to see the locations at the facility where computers supported by the listed name server(s) under evaluation are located (e.g., server closets, raised floor space, etc.). Note those areas that have the most extensive physical security controls. Also ask to see the locations of the name servers themselves. Then compare the physical security of the most secure computers against the physical security of the name server under evaluation. If the name server has substantially weaker physical security controls than the hosts it supports (e.g., the name server is in the DNS administrator’s cube while the servers are in a locked cage in a secure raised floor area), then this is a finding.
Working with appropriate technical and facility personnel, the IAO should arrange to relocate the name server into the same physical location as the most sensitive hosts it supports.
This check is only applicable if DNS logs are independent from system logs. If the log archival scheme for the DNS logs is weaker than the one for the system logs, then this is a finding.This check is only applicable if DNS logs are independent from system logs. If the log archival scheme for the DNS logs is weaker than the one for the system logs, then this is a finding. Windows DNS log files are normally kept in two locations. The system event logs which can be viewed from Event Viewer found under the Administrative tools from the Start Menu. In addition, debug logging options such as query, notify, and update requirements can be viewed in a file named %systemroot%\system32\dns\dns.log. BIND BIND logging files can be found by viewing the /etc/named.conf file. Within the named.conf will be an option for logging that will display the file path to the log files. In addition, most Unix machines will also log information in the syslog on the system.
Working with appropriate technical and facility personnel, the IAO should implement an archival strategy that is at least as extensive as the current archival operation for operating system logs.
If reviewing of logs is anything less than daily, or isn't performed by the ISSO/ISSM or under the ISSO/ISSM oversight, then this is a finding. In many cases, DNS logs are included within the system logs. If this is the case, then daily review of the system logs meets the requirement. If the site employs special software to scan logs for special events or key words, then this is also acceptable so long as the system issues real time alerts or is monitored at least daily. Windows DNS log files are normally kept in two locations. The system event logs which can be viewed from Event Viewer found under the Administrative tools from the Start Menu. In addition, debug logging options such as query, notify, and update requirements can be viewed in a file named %systemroot%\system32\dns\dns.log. BIND BIND logging files can be found by viewing the /etc/named.conf file. Within the named.conf will be an option for logging that will display the file path to the log files. In addition, most Unix machines will also log information in the syslog on the system. Windows DNS log files are normally kept in two locations. The system event logs which can be viewed from Event Viewer found under the Administrative tools from the Start Menu. In addition, debug logging options such as query, notify, and update requirements can be viewed in a file named %systemroot%\system32\dns\dns.log. BIND BIND logging files can be found by viewing the /etc/named.conf file. Within the named.conf will be an option for logging that will display the file path to the log files. In addition, most Unix machines will also log information in the syslog on the system.
The ISSO/ISSM should commit to reviewing logs daily or have oversight of the review daily, perhaps establishing a rotation for this purpose to ensure that days are not missed. Having a primary administrator and backup administrators rotate this responsibility will prevent a problem or warning sign from being missed because of an error in judgment.
Interview the ISSO and ask for the DNS server’s documented procedures and processes. Verify the documented procedures and processes explicitly document the roles and responsibilities for the DNS server management. These documented roles will be used to validate access controls in respective DNS technology STIGs. In some environments, the SA is also the DNS manager. In such case, the roles should still be documented. If the organization does not have the DNS server roles documented, this is a finding.
The ISSO must create and maintain a list of authorized DNS administrators for each zone and name server under the ISSOs scope of responsibility.
DNS patch and upgrade change records must include records of the date and time each patch or upgrade to DNS software was implemented, and by whom. The method of verification may be considered weak, but the requirement is merely to document the dates and times of DNS software patch and upgrades. Instruction: If there is no patch and upgrade log, then this is a finding. If there is such a log, then entries must include the date and time of any change as well as the identity of the administrator. Failure to include this information for any entry is a finding.
The SA should establish and maintain a log of the date and time each patch and upgrade to DNS software was implemented.
Fortunately, by design, the DNS architecture provides built-in redundancy support. There should always be a hot backup of zone information present whenever the primary name server is unavailable for any reason (i.e., the authoritative slave server maintains a copy of the zone files on the master). This built-in redundancy, however, does not extend to configuration files and logs. Therefore, name servers should be backed up to an external media (e.g., tape, optical disk, etc.) on a regular basis. At some locations, an automated enterprise backup system supports many servers. In this case, name servers can simply be added to the enterprise system. At other locations, backups must be performed manually, placing a considerably higher burden on administrators. In circumstances in which zone and configuration information is very static, remaining the same for several months at a time, it would make little sense to conduct daily full backups. Backups should occur as frequently as needed to capture changes on the name server. If there are no written procedures for the backup of name servers, then this is a finding. Backup in this context refers to copying the name server’s DNS configuration, keys, zones, and resource record data, at a minimum, in case it is needed for recovery at a later time. A full file system backup of the name server is preferred. If there are written backup procedures, then it must call for the backup of DNS configuration, keys, zones, and resource record data on any day in which they were modified, it this is not the case, then this is a finding. Any traditional daily tape backup scheme – whether it involves a full, incremental or differential scheme – will satisfy the requirement. Less frequent backups will also suffice if the configuration and resource record data are backed up whenever they are modified.
The IAO will establish operating procedures that will ensure that, at a minimum, DNS configuration, keys, zones, and resource record data is backed up on any day on which there are changes.
The DNS configuration change log must note the date and time any DNS configuration files were modified and the business justification for that modification. Unless the business justification is routinely so vague as to be meaningless (e.g., “user request” for every entry), the reviewer should not second-guess what constitutes an acceptable business rationale. Instruction: If there is no configuration change log, then this is a finding. If there are such records, then entries must include the date and time of any change and the business rationale for the change. Failure to include this information for any entry is a finding.
The IAO should implement, maintain, and periodically check compliance with configuration management requirements. The configuration change log should include, at a minimum, the date and time of any modifications to the DNS configuration files and the business justification for that modification.
Windows This check should be marked not applicable for all windows servers. Windows utilizes Active Directory for it’s key management or no keys at all. BIND Like user account passwords, cryptographic keys such as TSIG keys must be changed periodically to minimize the probability that they will be compromised. If there is a known compromise of a TSIG key, then it needs to be replaced immediately. One of the most important aspects of key supersession is the method that will be used to transfer newly generated keys. Possibilities, in rough order of preference, are as follows: - SSH - Encrypted e-mail using DoD PKI certificates - Secure fax (STU-III) - Regular mail (using the expedited mailing service holding the current GSA contract for "small package overnight delivery service") - Hand courier Instruction: If there are no procedures for TSIG key supersession, then this is a finding. If there are such procedures, then it must cover the following: - Frequency of key supersession - Criteria for triggering emergency supersession events - Notification of relevant personnel during emergency and non-emergency supersession - Methods for securely transferring newly generated keys This is a finding if any of these elements are missing from the supersession procedures.
The IAO should establish standard operating procedures for TSIG key supersession. These procedures should include, at a minimum, frequency of key supersession, criteria for triggering emergency supersession events, notification of relevant personnel during emergency and non-emergency supersession, and methods for securely transferring newly generated keys.
To best assure the integrity of zone files, one must not only carefully manage the manner in which requests are processed but also periodically check that the current records are valid. For example, when equipment is retired, people often fail to remove the associated host from the DNS. Without periodic checks, an attacker may use a retired host IP address to obtain valuable information from another user who was unaware of the change. Instruction: If there are no written procedures for manual updates of zone files (e.g., a new host entry), then this is a finding. If there are such procedures, then it must cover the following: - The process for updating zone records - Who is authorized to submit and approve update requests - How the DNS database administrator verifies the identity of the person from whom he or she received the request - How the DNS database administrator documents any changes made This is a finding if any of these elements are missing from the procedures for manually updating zone records. *Note: If secure dynamic updates are being utilized without any administrator interaction, then this check can be marked Not Applicable.
The IAO should establish standard operating procedures for updating zone records. These procedures should include, at a minimum, the process for updating zone records, who is authorized to submit and approve update requests, how the DNS database administrator verifies the identity of the person from whom he or she received the request, and how the DNS database administrator documents any changes made.
The intent of this check is to ensure zone queries can be answered in the event of failure of the primary name server. By requiring at least one other name server, queries will still be answered by one name server in the event of another name server failure. Using the name server configuration files, identify any zone that does not have multiple name servers. An authoritative server for each zone must have more than one name server. If there is only one name server for a zone, this is a finding. If the secondary server does not reside on a separate host, this is a finding. Windows (with Active Directory) For servers integrated with Active Directory, verify there are other domain controllers that can take over as Domain naming operations master. Open the Active Users and Computer snap in console under the Administrative tools menu. Expand the active directory domain and then expand the domain controllers folder. Ensure there are multiple domain controllers available within the domain. BIND Examine each zone file and check the NS records. There should be multiple records for the same domain with different servers authoritative for the zone. The path to the zone file can be found by examining the named.conf.
The ISSO must work with appropriate personnel to obtain and configure another name server to act as a slave to the server hosting this zone.
The intent of this requirement is to ensure all hosts in a zone can access an authoritative name server hosting their zone. Either a name server must reside on every subnet where hosts are located for each zone or name server on other subnets must be accessible for DNS queries by the hosts on subnets without a name server. NOTE: For networks with only Active Directory authoritative zones, the Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide should be followed for explicit guidance. Determine if host records in a zone are on the same subnet. If the records are on one subnet primary and at least one secondary nameserver is required on that same subnet. If multiple subnets are found, then a server should be available for each subnet. Determine if there is a name server on each of the subnets where hosts are located. If name servers are not on each subnet where hosts are located, validate the installed name servers on other subnets are accessible by the hosts on the subnets without a name server. If each subnet hosting hosts for a zone does not have a name server on the same subnet and name servers on other subnets are not accessible by the hosts on the subnet without a name server, this is a finding. The reviewer can manually check the IP addresses of the servers being reviewed to determine if they are on the same subnet.
Working with appropriate technology and facility personnel, the ISSO should arrange to relocate one of the name servers so that it resides on a different network segment than any other name server that hosts one or more of the same zones or ensure connectivity exists to allow for accessibility across subnets from hosts to existing name servers. In cases where the zones are small and not subject to frequent change, consideration should be given to the use of hosts or lmhost files to resolve host names.
By examining the zone file, the reviewer can determine whether there are hosts defined on one of the name server’s zones that reside in more than one building. If they all reside in the same building, then this check does not apply. If the defined hosts reside in different buildings, then one of the evaluated name server’s zone partners (slave or master) must reside in an alternate building. In this case, if all of the authoritative name servers for a zone reside in the same building, then this a finding. *Note: If the the zones records are on one subnet a single nameserver is required.
Working with DNS administrators and appropriate technical and facility personnel, the IAO should either arrange for one of the existing name servers to be moved to different location, deploy an additional name server at another location, or arrange to have an existing name server at another location act as slave to the zones hosted at the current location.
This check is only applicable if the site is using private IP space within the Enclave. This is typically encountered when a site is using Network Address Translation (NAT) with private or non-routable IPs. BIND This configuration should be evidenced by the use of the view statement in the named.conf file. If it is not, then the DNS administrator must satisfactorily explain how an alternative mechanism achieves the same effect. If the site employs NAT and a split DNS configuration is not employed or a satisfactory alternative mechanism is not employed, then this is a finding. The objective is that an external DNS client should have no means of querying the DNS to obtain a host-to-IP-address mapping for an internal host that has a private or non-routable IP. Windows Review each zone and search for any private IP addresses. If private addresses are being utilized internally and their respective domain names are also capable of being accessed from outside the enclave, then ask the DNS administrator to explain if they are implementing a split DNS configuration. Note: Split DNS can also be referred to as split-horizon and split-brain DNS. The best approach is to maintain separate servers for the external/internal zone records. Most other approaches involve forwarding from the internal server, which is against the STIG guidelines.
The IAO will ensure, when using private IP address space within an Enclave, that a split-DNS configuration is implemented to prevent the private address space from leaking into the public DNS system.
BIND DNS zone record documentation will preferably reside in the zone file itself through comments, but if this is not feasible, the DNS database administrator will maintain a separate database for this purpose. The zone file location can be found by examining the named.conf and searching for the zone statement. Within the zone statement will be a file option that will display the name of the zone file. Windows Ask the DNS database administrator if they maintain a separate database with record documentation. Windows DNS does not provide the capability to insert comments for records in a zone. Review the zone files/database. If the records are not fully documented, then this is a finding. The zone record documentation is to include, at a minimum: - The owner of each zone record - The date the zone record was created - The date the zone record was last modified - The date the zone record was last verified Records can be grouped (e.g., a number of workstations residing in the same area or a high-availability server cluster)
The DNS database administrator will document, at a minimum, the owner of each zone record (or group of related records) and the date the record was created, last modified, or verified. This documentation will preferably reside in the zone file itself through comments, but if this is not feasible, the DNS database administrator will maintain a separate database for this purpose.
Review the DNS name server software on the platform to determine what DNS software is running. If the name server is running a DNS implementation other than ISC BIND, Windows 2003 or later DNS, or equivalent DNS dedicated device such as Infoblox, then this is a finding. Cisco CSS DNS is limited to only those hosts defined in the csd.disa.mil domain. CSS DNS is subject both to these general security requirements, where applicable, and the specific STIG guidance for this product.
Working with DNS software administrators and other appropriate technical personnel, the IAO should oversee a migration to an approved name server software.
Work with the Network administrator to determine whether external hosts are able to query a name server on the internal network. DNS runs on ports 53/TCP for zone transfers and 53/UDP for queries. These ports should be blocked at the firewall or router to internal DNS servers. If external hosts are able to query a name server on the internal network, then this is a finding.
Working with appropriate technical personnel, the IAO should establish firewall rules and/or router ACLs that prohibit access to the name server from external hosts.
Interview the IAO or SA and ask to see the DNS architecture documentation to include roles for each server, security controls, and the list of networks that are able to query the DNS server.
Document the DNS architecture to include the location, function, role, and security controls for all DNS servers.
Review the Operating System to determine if it is supported by the vendor, e.g. Windows NT is no longer supported.
The IAO should develop a migration plan to upgrade or replace any out of date software or any software that is no longer vendor supported.
If the site is using BIND, interview the SA to determine if they have subscribed to ISC’s mailing list called “bind-announce” (information on the Internet at ttp://www.isc.org/sw/bind/bind-lists.php) for vulnerabilities and software notifications.Note: This check only applies to Windows and Unix systems running BIND. It should be marked Not Applicable for those not running BIND. If the site is using BIND, interview the SA to determine if they have subscribed to ISC’s mailing list called “bind-announce” (information on the Internet at http://www.isc.org/sw/bind/bind-lists.php) for vulnerabilities and software notifications.
If BIND is utilized, the SA will subscribe to ISC’s mailing list called “bind-announce” (information on the Internet at http://www.isc.org/sw/bind/bind-lists.php) for vulnerabilities and software notifications.
Interview the DNS administrator and ask if there is a procedure in place to review and validate the contents of the zones he/she is responsible for, at least annually.
The IAO will ensure the DNS administrator reviews the contents of the zones they are responsible for, at least annually.
Review the Operating System against the appropriate OS STIG. For a Windows system this would mean an evaluation with the Gold Disk; for a UNIX/LINUX system this would mean an evaluation using the SRR scripts. STIG compliance means that all findings are either closed, or there is a POA&M to address any outstanding vulnerabilities.
The underlying Operating System of the DNS server must be in compliance with the appropriate OS STIG.
If the site POC cannot produce a list of backup personnel authorized to administer each zone and name server, then this is a finding. If any zone or name server has only one DNS database administrator or only one DNS software administrator, then this is a finding. If there is not a backup administrator for both roles, then this is a finding.
Working with appropriate resource managers, the IAO should identify a backup DNS administrator for each zone and name server under the IAOs scope of responsibility.
Validation of compliance with the requirements is determined via an operating system console. An authorized SA should perform the required actions. He or she will work side-by-side with the reviewer to determine which commands are most appropriate at certain points in the review. UNIX Instruction: In the presence of the reviewer, the SA should enter the following command: named –v or, what /usr/sbin/named | grep named If a version of BIND 9.4-ESV-R4, 9.6.2-P3, 9.6-ESV-R3, or 9.7.2-P3 above is not installed, then this is a finding. If subsequent IAVA guidance recommends a BIND upgrade, then that guidance will supersede this requirement. Windows (with BIND) Instruction: The reviewer must work with the SA to obtain the owner of the named.exe or dns.exe service. In the presence of the reviewer, the SA should right-click on the named.exe or dns.exe service name file and select Properties | Version tab. The version should be displayed in the “Description” field. If a version of BIND prior to BIND 9.4-ESV-R4, 9.6.2-P3, 9.6-ESV-R3, 9.7.2-P3 is running, then this is a finding. If subsequent IAVA guidance recommends a BIND upgrade, then that guidance will supersede this requirement. Windows (Native) Instruction: The reviewer must ensure the operating system is Windows 2003 or later. If it is not, then this is a finding.
Working with DNS software administrators and other appropriate technical personnel, the IAO should oversee a migration to an approved name server software version.