STIGQter STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide

Version: 1

Release: 8 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-86987r1_ruleA BIND 9.x server implementation must be running in a chroot(ed) directory structure.
SV-86989r2_ruleA BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC.
SV-86991r1_ruleThe platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation.
SV-86993r1_ruleThe BIND 9.x server software must run with restricted privileges.
SV-86995r1_ruleThe host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface.
SV-86997r1_ruleThe host running a BIND 9.x implementation must use a dedicated management interface in order to separate management traffic from DNS specific traffic.
SV-86999r1_ruleThe host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic.
SV-87001r1_ruleA BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes.
SV-87003r1_ruleThe BIND 9.x server implementation must not be configured with a channel to send audit records to null.
SV-87005r1_ruleThe BIND 9.x server logging configuration must be configured to generate audit records for all DoD-defined auditable events to a local file by enabling triggers for all events with a severity of info, notice, warning, error, and critical for all DNS components.
SV-87007r1_ruleIn the event of an error when validating the binding of other DNS servers identity to the BIND 9.x information, when anomalies in the operation of the signed zone transfers are discovered, for the success and failure of start and stop of the name server service or daemon, and for the success and failure of all name server events, a BIND 9.x server implementation must generate a log entry.
SV-87009r1_ruleThe print-severity variable for the configuration of BIND 9.x server logs must be configured to produce audit records containing information to establish what type of events occurred.
SV-87011r1_ruleThe print-time variable for the configuration of BIND 9.x server logs must be configured to establish when (date and time) the events occurred.
SV-87013r1_ruleThe print-category variable for the configuration of BIND 9.x server logs must be configured to record information indicating which process generated the events.
SV-87015r1_ruleThe BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog.
SV-87017r1_ruleThe BIND 9.x server implementation must be configured with a channel to send audit records to a local file.
SV-87019r1_ruleThe BIND 9.x server implementation must maintain at least 3 file versions of the local log file.
SV-87021r1_ruleThe BIND 9.x secondary name server must limit the number of zones requested from a single master name server.
SV-87023r1_ruleThe BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time.
SV-87025r1_ruleThe BIND 9.x server implementation must limit the number of concurrent session client connections to the number of allowed dynamic update clients.
SV-87027r1_ruleThe BIND 9.x server implementation must be configured to use only approved ports and protocols.
SV-87029r1_ruleA BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
SV-87031r2_ruleA BIND 9.x server implementation must prohibit recursion on authoritative name servers.
SV-87033r3_ruleThe master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated.
SV-87035r2_ruleThe secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers.
SV-87043r1_ruleOn the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
SV-87045r3_ruleA BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input.
SV-87047r1_ruleA BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers.
SV-87049r1_ruleA BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.
SV-87053r2_ruleThe BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.
SV-87055r1_ruleThe BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.
SV-87061r1_ruleThe TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.
SV-87063r1_ruleThe TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.
SV-87065r1_ruleThe read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.
SV-87067r2_ruleThe BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.
SV-87069r3_ruleA BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes.
SV-87071r2_ruleThe DNSSEC keys used with the BIND 9.x implementation must be owned by a privileged account.
SV-87073r2_ruleThe DNSSEC keys used with the BIND 9.x implementation must be group owned by a privileged account.
SV-87075r2_rulePermissions assigned to the DNSSEC keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
SV-87077r4_ruleThe BIND 9.x server private key corresponding to the ZSK pair must be the only DNSSEC key kept on a name server that supports dynamic updates.
SV-87079r2_ruleOn the BIND 9.x server the private keys corresponding to both the ZSK and the KSK must not be kept on the BIND 9.x DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
SV-87081r2_ruleThe two files generated by the BIND 9.x server dnssec-keygen program must be owned by the root account, or deleted, after they have been copied to the key file in the name server.
SV-87083r2_ruleThe two files generated by the BIND 9.x server dnssec-keygen program must be group owned by the server administrator account, or deleted, after they have been copied to the key file in the name server.
SV-87085r2_rulePermissions assigned to the dnssec-keygen keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
SV-87093r3_ruleThe BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.
SV-87095r4_ruleA BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.
SV-87097r2_ruleA BIND 9.x server implementation must provide the means to indicate the security status of child zones.
SV-87099r3_ruleThe BIND 9.x server validity period for the RRSIGs covering the DS RR for zones delegated children must be no less than two days and no more than one week.
SV-87101r2_ruleThe core BIND 9.x server files must be owned by the root or BIND 9.x process account.
SV-87103r1_ruleThe core BIND 9.x server files must be group owned by a group designated for DNS administration only.
SV-87105r1_ruleThe permissions assigned to the core BIND 9.x server files must be set to utilize the least privilege possible.
SV-87107r1_ruleOn a BIND 9.x server for zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
SV-87109r1_ruleOn a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
SV-87111r1_ruleOn a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
SV-87113r1_ruleA BIND 9.x server implementation must implement internal/external role separation.
SV-87115r1_ruleOn the BIND 9.x server the IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
SV-87117r1_ruleA BIND 9.x implementation operating in a split DNS configuration must be approved by the organizations Authorizing Official.
SV-87119r4_ruleOn the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be owned by root.
SV-87121r4_ruleOn the BIND 9.x server the private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must be group owned by root.
SV-87123r1_ruleA BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies.
SV-87125r2_ruleA BIND 9.x server validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
SV-87127r4_ruleA BIND 9.x server NSEC3 must be used for all internal DNS zones.
SV-87129r1_ruleEvery NS record in a zone file on a BIND 9.x server must point to an active name server and that name server must be authoritative for the domain specified in that record.
SV-87131r1_ruleOn a BIND 9.x server all authoritative name servers for a zone must be located on different network segments.
SV-87133r1_ruleOn a BIND 9.x server all authoritative name servers for a zone must have the same version of zone information.
SV-87135r1_ruleOn a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.
SV-87137r1_ruleOn a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.
SV-87139r1_ruleOn the BIND 9.x server a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.
SV-87141r1_ruleOn the BIND 9.x server CNAME records must not point to a zone with lesser security for more than six months.
SV-87143r2_ruleThe BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government.