AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.

STIG ID: ALMA-09-023670  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269289

Vulnerability Discussion

To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.

Check

Verify the name servers used by the system with the following command:

$ grep nameserver /etc/resolv.conf

nameserver 192.168.2.4
nameserver 192.168.2.5

If less than two lines are returned that are not commented out, this is a finding.

Fix

Configure the operating system to use two or more name servers for DNS resolution based on the DNS mode of the system.

If the NetworkManager DNS mode is set to "none" in the [main] section of /etc/NetworkManager/NetworkManager.conf, then add the following lines to "/etc/resolv.conf":

nameserver [name server 1]
nameserver [name server 2]

Replace [name server 1] and [name server 2] with the IPs of two different DNS resolvers.

If the NetworkManager DNS mode is set to "default", then add two DNS servers to a NetworkManager connection using the following commands:

$ nmcli connection modify [connection name] ipv4.dns [name server 1]
$ nmcli connection modify [connection name] ipv4.dns [name server 2]

Replace [name server 1] and [name server 2] with the IPs of two different DNS resolvers. Replace [connection name] with a valid NetworkManager connection name on the system. Replace "ipv4" with "ipv6" if IPv6 DNS servers are used.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.