STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.

DISA Rule

SV-207557r612253_rule

Vulnerability Number

V-207557

Group Title

SRG-APP-000516-DNS-000110

Rule Version

BIND-9X-001059

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the "named.conf" file.

Configure the BIND 9.x server to only use the "port" flag with the "listen-on" and "listen-on-v6" statements:

options {
listen-on port 53 { <ip_address>; };
listen-on-v6 port 53 { <ip_v6_address>; };
};

Restart the BIND 9.x process.

Check Contents

Verify that the BIND 9.x server does not limit outgoing DNS messages to a specific port.

Inspect the "named.conf" file for the any instance of the "port" flag:

options {
listen-on port 53 { <ip_address>; };
listen-on-v6 port 53 { <ip_v6_address>; };
};

If any "port" flag is found outside of the "listen-on" or "listen-on-v6" statements, this is a finding.

Vulnerability Number

V-207557

Documentable

False

Rule Version

BIND-9X-001059

Severity Override Guidance

Verify that the BIND 9.x server does not limit outgoing DNS messages to a specific port.

Inspect the "named.conf" file for the any instance of the "port" flag:

options {
listen-on port 53 { <ip_address>; };
listen-on-v6 port 53 { <ip_v6_address>; };
};

If any "port" flag is found outside of the "listen-on" or "listen-on-v6" statements, this is a finding.

Check Content Reference

M

Target Key

2926

Comments