STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server implementation must prohibit recursion on authoritative name servers.

DISA Rule

SV-207554r612253_rule

Vulnerability Number

V-207554

Group Title

SRG-APP-000246-DNS-000035

Rule Version

BIND-9X-001055

Severity

CAT II

CCI(s)

• CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the authoritative name server to prohibit recursion.

Edit the "named.conf" file and add the following sub statements to the options statement:

recursion no;
allow-recursion {none;};
allow-query { none };

Configure each zone to limit queries to authorized hosts:

Edit the "named.conf" file and add the following sub statement to each zone definition:

allow-query { address_match_list; };

Restart the BIND 9.x process

Check Contents

If this is a recursive name server, this is not applicable.

Note: A recursive name server should NOT be configured as an authoritative name server for any zone.

Verify that the BIND 9.x server is configured to prohibit recursion on authoritative name servers.

Inspect the "named.conf" file for the following:

options {
recursion no;
allow-recursion {none;};
allow-query {none;};
};

If the "recursion" sub statement is missing, or set to "yes", this is a finding.

If the “allow-recursion” sub statement is missing or is not set to “none”, this is a finding.

If the "allow-query" sub statement under the "options statement" is missing or is not set to "none", this is a finding.

Verify that an "allow-query" sub statement under each zone statement is configured to authorized hosts:

zone "example.com" {
type master;
file "db.example.com";
allow-query { (address_match_list | <ip_address>) };
};

If the "allow-query" sub statement under each zone statement is not restricted to authorized hosts, this is a finding.

Vulnerability Number

V-207554

Documentable

False

Rule Version

BIND-9X-001055

Severity Override Guidance

If this is a recursive name server, this is not applicable.

Note: A recursive name server should NOT be configured as an authoritative name server for any zone.

Verify that the BIND 9.x server is configured to prohibit recursion on authoritative name servers.

Inspect the "named.conf" file for the following:

options {
recursion no;
allow-recursion {none;};
allow-query {none;};
};

If the "recursion" sub statement is missing, or set to "yes", this is a finding.

If the “allow-recursion” sub statement is missing or is not set to “none”, this is a finding.

If the "allow-query" sub statement under the "options statement" is missing or is not set to "none", this is a finding.

Verify that an "allow-query" sub statement under each zone statement is configured to authorized hosts:

zone "example.com" {
type master;
file "db.example.com";
allow-query { (address_match_list | <ip_address>) };
};

If the "allow-query" sub statement under each zone statement is not restricted to authorized hosts, this is a finding.

Check Content Reference

M

Target Key

2926

Comments