← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-22549

CAT II (Medium)

The DHCP client must not send dynamic DNS updates.

Rule ID

SV-45988r2_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000366

Discussion

Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed.

Check Content

If the "dhcp-client" package is not installed, this is not applicable.

Verify the DHCP client is configured to not send dynamic DNS updates.

Procedure:
# rpm –q dhcp-client   
If DHCP client is found then issue following command to determine if the DHCP client sends dynamic DNS updates:

# grep do-forward-updates /etc/dhclient.conf

If the DHCP client is installed and the configuration file is not present, or contains do-forward-updates = “true”, then this is a finding

Fix Text

Edit or add the "/etc/dhclient.conf" file and add or edit the "do-forward-updates" setting to false.

Procedure:
# echo "do-forward-updates false;" >> /etc/dhclient.conf