STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 1 Release: 8 Benchmark Date: 24 Jan 2020: On a BIND 9.x server all authoritative name servers for a zone must be located on different network segments.

DISA Rule

SV-87131r1_rule

Vulnerability Number

V-72507

Group Title

SRG-APP-000516-DNS-000087

Rule Version

BIND-9X-001612

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit the zone file and configure each name server on a separate network segment.

Check Contents

Verify that each name server listed on the BIND 9.x server is on a separate network segment.

Inspect the "named.conf" file and identify all of the zone files that the BIND 9.x server is using.

zone "example.com" {
file "zone_file";
};

Inspect each zone file and identify each A record for each NS record listed:

ns1.example.com 86400 IN A 192.168.1.4
ns2.example.com 86400 IN A 192.168.2.4

If there are name servers listed in the zone file that are not on different network segments for the specified domain, this is a finding.

Vulnerability Number

V-72507

Documentable

False

Rule Version

BIND-9X-001612

Severity Override Guidance

Verify that each name server listed on the BIND 9.x server is on a separate network segment.

Inspect the "named.conf" file and identify all of the zone files that the BIND 9.x server is using.

zone "example.com" {
file "zone_file";
};

Inspect each zone file and identify each A record for each NS record listed:

ns1.example.com 86400 IN A 192.168.1.4
ns2.example.com 86400 IN A 192.168.2.4

If there are name servers listed in the zone file that are not on different network segments for the specified domain, this is a finding.

Check Content Reference

M

Target Key

3085

Comments