RHEL 10 must configure a DNS processing mode in Network Manager to avoid conflicts with other Domain Name Server (DNS) managers and to not leak DNS queries to untrusted networks.

STIG ID: RHEL-10-800300  |  SRG: SRG-OS-000420-GPOS-00186 |  Severity: medium (CAT II)  |  CCI: CCI-002385,CCI-001115 |  Vulnerability Id: V-281362

Vulnerability Discussion

To ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured. The following are common DNS values in "NetworkManager.conf [main]":

- default: NetworkManager will update "/etc/resolv.conf" to reflect the nameservers provided by currently active connections.
- none: NetworkManager will not modify "/etc/resolv.conf". Used when DNS is managed manually or by another service.
- systemd-resolved: Uses "systemd-resolved" to manage DNS.
- dnsmasq: Enables the internal "dnsmasq" plugin.

Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00091

Check

Verify RHEL 10 has a DNS mode configured in Network Manager.

$ NetworkManager --print-config
[main]
dns=none

If the dns key under "main" does not exist or is set to "dnsmasq", this is a finding.

Note: If RHEL 10 is configured to use a DNS resolver other than Network Manager, the configuration must be documented and approved by the information system security officer.

Fix

Configure RHEL 10 to use a DNS mode in Network Manager.

In "/etc/NetworkManager/NetworkManager.conf", add the following line in the "[main]" section:

dns = none

Where <dns processing mode> is default, none, or systemd-resolved.

Network Manager must be reloaded for the change to take effect:

$ sudo systemctl reload NetworkManager
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.