V-272411

Discussion

The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is defined and the zone authoritative for the alias's canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounds the vulnerability.

Check Content

Verify that the zone files used by the BIND 9.x server do not contain resource records for a domain in which the server is not authoritative.

Inspect the "named.conf" file for the following:

zone example.com {
file "db.example.com.signed";
};

Inspect each zone file for "CNAME" records and verify with the DNS administrator that these records are less than six months old.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated.

If there are CNAME records that point to third-party Content Delivery Networks (CDNs) or cloud computing platforms without an authorizing official (AO)-approved and documented mission need, this is a finding.

If a CNAME record is more than six months old, excluding the above, this is a finding.