STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The BIND 9.x server implementation must be configured to use only approved ports and protocols.

DISA Rule

SV-207552r612253_rule

Vulnerability Number

V-207552

Group Title

SRG-APP-000142-DNS-000014

Rule Version

BIND-9X-001053

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

Edit the "named.conf" file.

Add the following line to the "options" statement:

listen-on port 53 { <ip_address>; };

Replace "<ip_address>" with the IP of the name server.

Restart the BIND 9.x process.

Check Contents

Verify the BIND 9.x server is configured to listen on UDP/TCP port 53.

Inspect the "named.conf" file for the following:

options {
listen-on port 53 { <ip_address>; };
};

If the "port" variable is missing, this is a finding.

If the "port" variable is not set to "53", this is a finding.

Note: "<ip_address>" should be replaced with the DNS server IP address.

Vulnerability Number

V-207552

Documentable

False

Rule Version

BIND-9X-001053

Severity Override Guidance

Verify the BIND 9.x server is configured to listen on UDP/TCP port 53.

Inspect the "named.conf" file for the following:

options {
listen-on port 53 { <ip_address>; };
};

If the "port" variable is missing, this is a finding.

If the "port" variable is not set to "53", this is a finding.

Note: "<ip_address>" should be replaced with the DNS server IP address.

Check Content Reference

M

Target Key

2926

Comments