{"description": "Dynamic DNS allows clients to dynamically update their own DNS records.\nThe updates are transmitted by unencrypted means which can reveal information\nto a potential malicious user. If the system does not require Dynamic DNS,\nremove all DHCP_HOSTNAME references from the\n/etc/sysconfig/network-scripts/ifcfg-interface scripts. If\ndhclient is used, remove all send host-name hostname\nreferences from the /etc/dhclient.conf configuration file and/or any\nreference from the /etc/dhcp directory.", "rationale": "Dynamic DNS updates transmit unencrypted information about a system\nincluding its name and address and should not be used unless needed.", "severity": "medium", "references": {"cis-csc": ["11", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "client Dynamic DNS updates are not disabled", "ocil": "To verify that clients cannot automatically update DNS records, perform the\nfollowing:\n$ grep -i dhcp_hostname /etc/sysconfig/network-scripts/ifcfg-*
\n$ grep -rni \"send host-name\" /etc/dhclient.conf /etc/dhcp
\nThe output should return no results.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable Client Dynamic DNS Updates", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network_disable_ddns_interfaces/rule.yml", "template": null}