{"description": "To prevent the DHCP server from receiving DNS information from\nclients, edit <tt>/etc/dhcp/dhcpd.conf</tt>, and add or correct the following global\noption: <pre>ddns-update-style none;</pre>", "rationale": "The Dynamic DNS protocol is used to remotely update the data served\nby a DNS server. DHCP servers can use Dynamic DNS to publish information about\ntheir clients. This setup carries security risks, and its use is not\nrecommended.  If Dynamic DNS must be used despite the risks it poses, it is\ncritical that Dynamic DNS transactions be protected using TSIG or some other\ncryptographic authentication mechanism. See dhcpd.conf(5) for more information\nabout protecting the DHCP server from passing along malicious DNS data from its\nclients.", "severity": "unknown", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "The ddns-update-style option controls only whether\nthe DHCP server will attempt to act as a Dynamic DNS client. As long as the DNS\nserver itself is correctly configured to reject DDNS attempts, an incorrect\nddns-update-style setting on the client is harmless (but should be fixed as a\nbest practice)."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Do Not Use Dynamic DNS", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/dhcp/dhcp_server_configuration/dhcp_server_disable_ddns/rule.yml", "template": null}