STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface.

DISA Rule

SV-207536r612253_rule

Vulnerability Number

V-207536

Group Title

SRG-APP-000516-DNS-000109

Rule Version

BIND-9X-001004

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the OS firewall to only allow incoming DNS traffic on ports 53/tcp and 53/udp.
Add the following rules to the host firewall rule set:

# iptables -A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT
# iptables -A INPUT -i [DNS Interface] -j DROP

Note: If the system is not using an IPTables firewall, the appropriate firewall rules that limit traffic to ports 53/tcp and 53/udp should be configured on the active firewall.

Check Contents

With the assistance of the DNS administrator, verify that the OS firewall is configured to only allow incoming messages on ports 53/tcp and 53/udp.

Note: The following rules are for the IPTables firewall. If the system is utilizing a different firewall, the rules may be different.

Inspect the hosts firewall rules for the following rules:

-A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT
-A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT
-A INPUT -i [DNS Interface] -j DROP

If any of the above rules do not exist, this is a finding.

If there are rules listed that allow traffic on ports other than 53/tcp and 53/udp, this is a finding.

Vulnerability Number

V-207536

Documentable

False

Rule Version

BIND-9X-001004

Severity Override Guidance

With the assistance of the DNS administrator, verify that the OS firewall is configured to only allow incoming messages on ports 53/tcp and 53/udp.

Note: The following rules are for the IPTables firewall. If the system is utilizing a different firewall, the rules may be different.

Inspect the hosts firewall rules for the following rules:

-A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT
-A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT
-A INPUT -i [DNS Interface] -j DROP

If any of the above rules do not exist, this is a finding.

If there are rules listed that allow traffic on ports other than 53/tcp and 53/udp, this is a finding.

Check Content Reference

M

Target Key

2926

Comments