InformationThe operating systems that are using DNS resolution, must have at least two name servers configured.
To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
SolutionConfigure the operating system to use two or more name servers for DNS resolution.
Edit the /etc/resolv.conf file to uncomment or add the two or more nameserver option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the /etc/resolv.conf file must be empty. An empty /etc/resolv.conf file can be created as follows:
# echo -n > /etc/resolv.conf
And then make the file immutable with the following command:
# chattr +i /etc/resolv.conf
If the /etc/resolv.conf file must be mutable, the required configuration must be documented with the Authorizing Official and the file must be verified by the system file integrity tool.
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72281
Rule ID: SV-86905r2_rule
STIG ID: RHEL-07-040600
Severity: CAT III