STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:SV-207556r612253_rule
V-207556
SRG-APP-000516-DNS-000088
BIND-9X-001058
CAT III
10
Edit the "named.conf" file.
Configure the "notify" sub statement in the "options" statement block to "no":
options {
notify no;
};
Configure the “notify explicit” and "also-notify" sub statements in the zone statement block to limit zone transfer notifications to authorized secondary name servers:
zone example.com {
notify explicit;
also-notify { <ip_address>; | <address_match_list>; };
Restart the BIND 9.x process.
If this is a master name server, this is Not Applicable.
On a secondary name server, verify that the global notify is disabled. The global entry for the name server is under the “Options” section and notify should be disabled at this section.
Inspect the "named.conf" file for the following:
options {
notify no;
};
If the "notify" statement is missing, this is a finding.
If the "notify" statement is set to "yes", this is a finding.
Verify that zones for which the secondary server is authoritative is configured to notify other authorized secondary name servers when a zone file update has been received from the master name server for the zone.
Each zone has its own Zone section.
Inspect the "named.conf" file for the following:
zone example.com {
notify explicit;
also-notify { <ip_address>; | <address_match_list>; };
If an "address match list" is used, verify that each ip address listed is an authorized secondary name server for that zone.
If the “notify explicit” statement is missing, this is a finding.
If the "also-notify" statement is missing, this is a finding.
If the "also-notify" statement is configured to notify name servers that are not authorized for that zone, this is a finding.
V-207556
False
BIND-9X-001058
If this is a master name server, this is Not Applicable.
On a secondary name server, verify that the global notify is disabled. The global entry for the name server is under the “Options” section and notify should be disabled at this section.
Inspect the "named.conf" file for the following:
options {
notify no;
};
If the "notify" statement is missing, this is a finding.
If the "notify" statement is set to "yes", this is a finding.
Verify that zones for which the secondary server is authoritative is configured to notify other authorized secondary name servers when a zone file update has been received from the master name server for the zone.
Each zone has its own Zone section.
Inspect the "named.conf" file for the following:
zone example.com {
notify explicit;
also-notify { <ip_address>; | <address_match_list>; };
If an "address match list" is used, verify that each ip address listed is an authorized secondary name server for that zone.
If the “notify explicit” statement is missing, this is a finding.
If the "also-notify" statement is missing, this is a finding.
If the "also-notify" statement is configured to notify name servers that are not authorized for that zone, this is a finding.
M
2926