STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.

DISA Rule

SV-207585r612253_rule

Vulnerability Number

V-207585

Group Title

SRG-APP-000516-DNS-000093

Rule Version

BIND-9X-001402

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the "named.conf" file.

Configure the internal view statement to limit use authorized internal hosts:

view "internal" {
match-clients { <ip_address> | <address_match_list>; };
};

Remove any IP address that is assigned to an external host from the internal view statement.

Restart the BIND 9.x process.

Check Contents

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable.

Verify that the BIND 9.x server is configured to use the "match-clients" sub statement to limit the reach of the internal view from the external view.

Inspect the "named.conf" file for the following:

view "internal" {
match-clients { <ip_address> | <address_match_list>; };
};

If the "match-clients" sub statement is missing for the internal view, this is a finding.

If the "match-clients" sub statement for the internal view does not limit the view to authorized hosts, this is a finding.

If any of the IP addresses defined for the "match-clients" sub statement in the internal view are assigned to external hosts, this is a finding.

Vulnerability Number

V-207585

Documentable

False

Rule Version

BIND-9X-001402

Severity Override Guidance

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable.

Verify that the BIND 9.x server is configured to use the "match-clients" sub statement to limit the reach of the internal view from the external view.

Inspect the "named.conf" file for the following:

view "internal" {
match-clients { <ip_address> | <address_match_list>; };
};

If the "match-clients" sub statement is missing for the internal view, this is a finding.

If the "match-clients" sub statement for the internal view does not limit the view to authorized hosts, this is a finding.

If any of the IP addresses defined for the "match-clients" sub statement in the internal view are assigned to external hosts, this is a finding.

Check Content Reference

M

Target Key

2926

Comments