STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers.

DISA Rule

SV-207559r612253_rule

Vulnerability Number

V-207559

Group Title

SRG-APP-000001-DNS-000001

Rule Version

BIND-9X-001070

Severity

CAT II

CCI(s)

• CCI-000054 - The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.

Weight

10

Fix Recommendation

Edit the "named.conf" file.

Add the "transfers" sub statement to each "server" statement block.

The value of the "transfers" option can be increased to a value greater than two based on organizational requirements needed to support DNS operations.

Restart the BIND 9.x process.

Check Contents

If this is not a master name server, this requirement is Not Applicable

Verify that the name server is configured to limit the number of zone transfers from authorized secondary name servers.

Inspect the "named.conf" file for the following:

server <ip_address> {
transfers 2;
};

If each "server" statement does not contain a "transfers" sub statement, this is a finding.

Vulnerability Number

V-207559

Documentable

False

Rule Version

BIND-9X-001070

Severity Override Guidance

If this is not a master name server, this requirement is Not Applicable

Verify that the name server is configured to limit the number of zone transfers from authorized secondary name servers.

Inspect the "named.conf" file for the following:

server <ip_address> {
transfers 2;
};

If each "server" statement does not contain a "transfers" sub statement, this is a finding.

Check Content Reference

M

Target Key

2926

Comments