|
This DNS Security Technical Implementation Guide (STIG)
is designed to assist administrators with
the configuration of DNS server software (BIND,
Windows 2000 DNS, and CSS DNS) and related
portions of the underlying operating system.
This STIG also provides guidance for standard
operating procedures related to configuration
management, business continuity, and other
topics, such as a DNS overview and general
security requirements for DNS architectures.
This document details DOD DNS security practices and procedures
applicable to all DOD Top Level Domain (TLD)
and below name servers. The policy portions
of this STIG are relevant to all name servers
connected to either the DOD Non-Classified
Internet Protocol Router Network (NIPRNet)
or Secret Internet Protocol Router Network
(SIPRNet).
This includes the following entities, which are hereinafter
referred to as sites or facilities:
- Defense Enterprise
Computing Centers (DECCs)
- Defense Enterprise
Computing Center-Detachments (DECC-Ds)
- Regional Network Operations and Security Centers
(RNOSCs)
- DOD Components
- Systems Support Offices (SSOs)
- Combatant Commanders
- Other DISA customers
This document supports the following implementations of
DNS:
- BIND 9.2.1
- BIND 9.2.1 for Microsoft Windows NT, Windows 2000, and
Windows 2003
- Windows 2000 DNS
- CSS DNS
The field use of Berkeley Internet Name Domain (BIND) releases
are 8.2.7 and above, 8.3.4 and above, and
9.2.1 and above are acceptable, but the document
does not detail the syntax of BIND 8 configuration
statements. In most cases, BIND 8 and BIND
9 statements are identical. When they are
not, organizations deploying BIND 8 must make
the appropriate changes to the BIND 9 syntax
in this document to achieve the desired effect.
This document supersedes previous DNS guidance found in
the Network and UNIX STIGs. It also has implications
for organizations within the scope of the
Enclave, IP WAN, and Web Server STIGs.
|
