STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.

DISA Rule

SV-207560r612253_rule

Vulnerability Number

V-207560

Group Title

SRG-APP-000246-DNS-000035

Rule Version

BIND-9X-001080

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the caching name server to accept recursive queries only from the IP addresses and address ranges of known supported clients.

Edit the "named.conf" file and add the following to the options statement:

allow-query {trustworthy_hosts;};
allow-recursion {trustworthy_hosts;};

Restart the BIND 9.x process

Check Contents

This check is only applicable to caching name servers.

Verify the allow-query and allow-recursion phrases are properly configured.

Inspect the "named.conf" file for the following:

allow-query {trustworthy_hosts;};
allow-recursion {trustworthy_hosts;};

The name of the ACL does not need to be "trustworthy_hosts" but the name should match the ACL name defined earlier in "named.conf" for this purpose. If not, this is a finding.

Verify non-internal IP addresses do not appear in either the referenced ACL (e.g., trustworthy_hosts) or directly in the statements themselves.

If non-internal IP addresses appear, this is a finding.

Vulnerability Number

V-207560

Documentable

False

Rule Version

BIND-9X-001080

Severity Override Guidance

This check is only applicable to caching name servers.

Verify the allow-query and allow-recursion phrases are properly configured.

Inspect the "named.conf" file for the following:

allow-query {trustworthy_hosts;};
allow-recursion {trustworthy_hosts;};

The name of the ACL does not need to be "trustworthy_hosts" but the name should match the ACL name defined earlier in "named.conf" for this purpose. If not, this is a finding.

Verify non-internal IP addresses do not appear in either the referenced ACL (e.g., trustworthy_hosts) or directly in the statements themselves.

If non-internal IP addresses appear, this is a finding.

Check Content Reference

M

Target Key

2926

Comments