STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 1 Release: 8 Benchmark Date: 24 Jan 2020: The host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic.

DISA Rule

SV-86999r1_rule

Vulnerability Number

V-72375

Group Title

SRG-APP-000516-DNS-000109

Rule Version

BIND-9X-001006

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

On the host machine, configure an interface to only process DNS traffic.

Restart the host machine.

Check Contents

Verify that the BIND 9.x server is configured to use an interface that is configured to process only DNS traffic.

# ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.1.252 netmask 255.255.255.0 broadcast 10.0.1.255
inet6 fd80::21c:d8ff:fab7:1dba prefixlen 64 scopeid 0x20<link>
ether 00:1a:b8:d7:1a:bf txqueuelen 1000 (Ethernet)
RX packets 2295379 bytes 220126493 (209.9 MiB)
RX errors 0 dropped 31 overruns 0 frame 0
TX packets 70507 bytes 12284940 (11.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1458
inet 10.0.0.5 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe81::21c:a8bf:fad7:1dca prefixlen 64 scopeid 0x20<link>
ether 00:1d:d8:b5:1c:dd txqueuelen 1000 (Ethernet)
RX packets 39090 bytes 4196802 (4.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 93250 bytes 18614094 (17.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

If one of the interfaces listed is not dedicated to only process DNS traffic, this is a finding.

Vulnerability Number

V-72375

Documentable

False

Rule Version

BIND-9X-001006

Severity Override Guidance

Verify that the BIND 9.x server is configured to use an interface that is configured to process only DNS traffic.

# ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.1.252 netmask 255.255.255.0 broadcast 10.0.1.255
inet6 fd80::21c:d8ff:fab7:1dba prefixlen 64 scopeid 0x20<link>
ether 00:1a:b8:d7:1a:bf txqueuelen 1000 (Ethernet)
RX packets 2295379 bytes 220126493 (209.9 MiB)
RX errors 0 dropped 31 overruns 0 frame 0
TX packets 70507 bytes 12284940 (11.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1458
inet 10.0.0.5 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe81::21c:a8bf:fad7:1dca prefixlen 64 scopeid 0x20<link>
ether 00:1d:d8:b5:1c:dd txqueuelen 1000 (Ethernet)
RX packets 39090 bytes 4196802 (4.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 93250 bytes 18614094 (17.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

If one of the interfaces listed is not dedicated to only process DNS traffic, this is a finding.

Check Content Reference

M

Target Key

3085

Comments