STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

DISA Rule

SV-207553r612253_rule

Vulnerability Number

V-207553

Group Title

SRG-APP-000247-DNS-000036

Rule Version

BIND-9X-001054

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the authoritative name server to prohibit recursion.

Edit the "named.conf" file and add the following sub statements to the options statement:

recursion no;
allow-query { none };

Configure each zone to limit queries to authorized hosts:

Edit the "named.conf" file and add the following sub statement to each zone definition:

allow-query { address_match_list; };

Restart the BIND 9.x process

Check Contents

If this is a recursive name server, this is not applicable.

Note: A recursive name server should NOT be configured as an authoritative name server for any zone.

Verify that the BIND 9.x server is configured to prohibit recursion on authoritative name servers.

Inspect the "named.conf" file for the following:

options {
recursion no;
allow-query {none;};
};

If the "recursion" sub statement is missing, or set to "yes", this is a finding.

If the "allow-query" sub statement under the "options statement" is not set to "none", this is a finding.

Verify that an "allow-query" sub statement under each zone statement is configured to authorized hosts:

zone "example.com" {
type master;
file "db.example.com";
allow-query { (address_match_list | <ip_address>) };
};

If the "allow-query" sub statement under each zone statement is not restricted to authorized hosts, this is a finding.

Vulnerability Number

V-207553

Documentable

False

Rule Version

BIND-9X-001054

Severity Override Guidance

If this is a recursive name server, this is not applicable.

Note: A recursive name server should NOT be configured as an authoritative name server for any zone.

Verify that the BIND 9.x server is configured to prohibit recursion on authoritative name servers.

Inspect the "named.conf" file for the following:

options {
recursion no;
allow-query {none;};
};

If the "recursion" sub statement is missing, or set to "yes", this is a finding.

If the "allow-query" sub statement under the "options statement" is not set to "none", this is a finding.

Verify that an "allow-query" sub statement under each zone statement is configured to authorized hosts:

zone "example.com" {
type master;
file "db.example.com";
allow-query { (address_match_list | <ip_address>) };
};

If the "allow-query" sub statement under each zone statement is not restricted to authorized hosts, this is a finding.

Check Content Reference

M

Target Key

2926

Comments