{"description": "\nMultiple Domain Name System (DNS) Servers should be configured\nin <tt>/etc/resolv.conf</tt>. This provides redundant name resolution services\nin the event that a domain server crashes. To configure the system to contain\nas least <tt>2</tt> DNS servers, add a corresponding <tt>nameserver\n<i>ip_address</i></tt> entry in <tt>/etc/resolv.conf</tt> for each DNS\nserver where <i>ip_address</i> is the IP address of a valid DNS server.\nFor example:\n<pre>search example.com\nnameserver 192.168.0.1\nnameserver 192.168.0.2</pre>", "rationale": "To provide availability for name resolution services, multiple redundant\nname servers are mandated. A failure in name resolution could lead to the\nfailure of security functions requiring name resolution, which may include\ntime synchronization, centralized authentication, and remote system logging.", "severity": "medium", "references": {"cis-csc": ["12", "15", "8"], "cobit5": ["APO13.01", "DSS05.02"], "isa-62443-2013": ["SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.13.1.1", "A.13.2.1", "A.14.1.3"], "nist": ["SC-20(a)", "CM-6(a)"], "nist-csf": ["PR.PT-4"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "less than two lines are returned that are not commented out", "ocil": "Verify that DNS servers have been configured properly, perform the following:\n<pre>$ sudo grep nameserver /etc/resolv.conf</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to use two or more name servers for DNS resolution.\n\nBy default, \"NetworkManager\" on Ubuntu 22.04 dynamically updates the /etc/resolv.conf file with the DNS settings from active \"NetworkManager\" connection profiles. However, this feature can be disabled to allow manual configurations.\n\nIf manually configuring DNS, edit the \"/etc/resolv.conf\" file to uncomment or add the two or more \"nameserver\" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the \"/etc/resolv.conf\" file must be empty. An empty \"/etc/resolv.conf\" file can be created as follows:\n\n$ sudo echo -n > /etc/resolv.conf", "checktext": "", "vuldiscussion": "", "srg_requirement": "For Ubuntu 22.04 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.", "warnings": [{"general": "This rule doesn't come with a remediation, the IP addresses of local authoritative name servers need to be added by the administrator."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.", "vuldiscussion": "To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.", "checktext": "Note: If the system is running in a cloud platform and the cloud provider gives a single, highly available IP address for DNS configuration, this control is Not Applicable.\n\nVerify the name servers used by the system with the following command:\n\n$ grep nameserver /etc/resolv.conf\n\nnameserver 192.168.1.2\nnameserver 192.168.1.3\n\nIf fewer than two lines are returned that are not commented out, this is a finding.", "fixtext": "Configure the operating system to use two or more name servers for DNS resolution based on the DNS mode of the system.\n\nIf the NetworkManager DNS mode is set to \"none\", add the following lines to \"/etc/resolv.conf\":\n\nnameserver [name server 1]\nnameserver [name server 2]\n\nReplace [name server 1] and [name server 2] with the IPs of two different DNS resolvers.\n\nIf the NetworkManager DNS mode is set to \"default\", add two DNS servers to a NetworkManager connection using the following command:\n\n$ nmcli connection modify [connection name] ipv4.dns [name server 1],[name server 2]\n\nReplace [name server 1] and [name server 2] with the IPs of two different DNS resolvers. Replace [connection name] with a valid NetworkManager connection name on the system. Replace ipv4 with ipv6 if IPv6 DNS servers are used."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure Multiple DNS Servers in /etc/resolv.conf", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network_configure_name_resolution/rule.yml", "template": null}