|
|
|
|
 |
|
Domain Name System Security Checklist
|
Name |
Domain Name System Security Checklist
|
|
Version |
Version 3 Release 1.1
|
|
Status |
Final
|
| Creation
Date |
Not available.
|
| Revision
Date |
2007-03-15
|
| Product
Category |
Domain Name System
|
| Vendor |
Internet Security Consortium, Inc.
Microsoft Corporation
Cisco Systems
|
| Product |
Bind 9.2.1
Bind 9.2.1 for Microsoft Windows NT, 2000, 2003
Windows 2000 DNS
CSS DNS
|
| Product
Version |
Bind 9.2.1
Bind 9.2.1 for Microsoft Windows NT, 2000, 2003
Windows 2000 DNS
CSS DNS
|
| Product
Role |
Domain Name Server
|
|
Checklist
Summary |
This document contains procedures that enable qualified
personnel to conduct a Domain Name System
(DNS) Security Readiness Review (SRR). The
DNS SRR assesses an organization’s compliance
with the Defense Information Systems Agency
(DISA) DNS Security Technical Implementation
Guidance (STIG). DISA Field Security
Operations (FSO) conducts SRRs to provide
DISA, Joint Commands, and other Department
of Defense (DOD) organizations with a level
of confidence that their DNS is secure and
can adequately support their mission. This
document provides step by step instructions
to verify Domain Name Systems are securely
configured. The primary objects of a DNS SRR
are the site’s administrative practices, name
servers, and the zones these name servers
support. The DNS Checklist is divided
into several Potential Discrepancy Lists (PDLs).
The Site Administration and Zone Architecture
PDLs are considered network assets.
The Name Server Requirements, BIND Name Server
Configuration, UNIX OS Configuration to Support
BIND, Windows OS Configuration to Support
BIND, Windows 2000 DNS Name Server Configuration,
and Cisco CSS Configuration PDLs are considered
server assets. As security is only as strong
as the weakest link, the review should cover
all supporting name servers. In some
cases, this may not be feasible (e.g., the
name server is at a remote site), but if any
server supporting a zone is not assessed,
this should be clearly documented in the SRR
final report. Organizations may also have
several caching name servers – i.e., ones
that can resolve client queries, but which
are not necessarily authoritative for any
DNS records. These are the servers that
are listed in the DNS configuration of the
computers on the internal network. A
DNS SRR should also evaluate all of the organization’s
caching name servers, but a sample may suffice
if there are resource or time constraints.
This document contains survey instruments
that can assist a reviewer when collecting
data on the organization’s DNS infrastructure.
Once information is gathered and evaluated,
the reviewer will record findings of Potential
Discrepancy Items (PDIs) in the SRR Results
Report included later in the document.
|
| Known
Issues |
The reviewer must examine the IAVM notices carefully when
there are potential issues. In future
releases of the checklist, additional guidance
will be provided on how to check for these
scenarios.
|
| Target
Audience |
Developped for the DOD.
This checklist has been created for IT professionals,
particularly network system administrators
and information security personnel. The document
assumes that the reader has experience installing
and administering DNS Servers.
|
| Target
Operational Environment |
Enterprise and Specialized
Security-Limited Functionality.
|
| Checklist
Installation Tools |
The SRR team lead or reviewer should obtain as much as
he or she can from the personnel specified
in the checklist prior to continuing on with
the checklist, as this obtained information
will greatly assist the reviewer in completing
the PDIs and reduce the time required to complete
the review.
The scripts need to be unzipped (Windows) or untarred/uncompressed
(Unix) and/or copied to the host system (Windows,
Unix copy commands).
|
| Rollback
Capability |
The scripts create temporary tables to store and hold results
to produce the results files. These files
are removed at the completion of the script.
No other changes are made to the DNS components.
|
| Testing
Information |
Not available.
|
| NIAP/CMVP
Status |
Not available.
|
| Regulatory
Compliance |
DOD Directive 8500.
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Please refer to the Checklist or the README.txt files provided
with the scripts for any comments, warnings,
or detailed instructions.
|
| Disclaimer |
Not available.
|
| Product
Support |
It should be noted that FSO Support for the STIGs, Checklists,
and Tools is only available to DOD Customers.
|
| Submitting
Organization/Authors |
Defense Information Systems Agency
|
| Point
of Contact |
Not available.
|
| Sponsor |
Not available.
|
| Licensing |
Not available.
|
| Checklist
Homepage |
http://iase.disa.mil/stigs/checklist/index.html
|
| Download
Package |
http://iase.disa.mil/stigs/checklist/DNS-Checklist-V3R1-1.pdf
|
| Integrity |
SHA1 Digest
(DNS-Checklist-V3R1-1.pdf) =
ad708e892acc73046c4956558cf3ea3d8786c4c9
SHA256 Digest
(DNS-Checklist-V3R1-1.pdf) =
f528732b86dc77a3c62bce8e7be38811b8730633c0f
20bdc1d76c7906d878230
|
| Change
History |
Version
1, Release 1, date unknown
Version
1, Release 2.2, date unknown
Version
1, Release 3.1, date unknown
Version
2, Release 1.1, 2004-05-12
Version
2, Release 1.2, 2004-07-15
Version
2, Release 1.3, 2005-08-08
Version 2, Release 2, 2006-06-16
Version 3, Release 1, 2006-12-08
Version 3, Release 1.1, 2007-03-15
|
| Dependency/Requirement |
Domain Name System Security Technical Implementation Guide,
v2 Release 2
|
| References |
Not available.
|
| NIST
Identifier |
1062
|
|
|
|
NIST and the checklist submitter do not guarantee or warrant the checklist's
accuracy or completeness. NIST is not responsible for loss, damage, or
problems that may be caused by using the checklist.
|
