STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:SV-207560r612253_rule
V-207560
SRG-APP-000246-DNS-000035
BIND-9X-001080
CAT II
10
Configure the caching name server to accept recursive queries only from the IP addresses and address ranges of known supported clients.
Edit the "named.conf" file and add the following to the options statement:
allow-query {trustworthy_hosts;};
allow-recursion {trustworthy_hosts;};
Restart the BIND 9.x process
This check is only applicable to caching name servers.
Verify the allow-query and allow-recursion phrases are properly configured.
Inspect the "named.conf" file for the following:
allow-query {trustworthy_hosts;};
allow-recursion {trustworthy_hosts;};
The name of the ACL does not need to be "trustworthy_hosts" but the name should match the ACL name defined earlier in "named.conf" for this purpose. If not, this is a finding.
Verify non-internal IP addresses do not appear in either the referenced ACL (e.g., trustworthy_hosts) or directly in the statements themselves.
If non-internal IP addresses appear, this is a finding.
V-207560
False
BIND-9X-001080
This check is only applicable to caching name servers.
Verify the allow-query and allow-recursion phrases are properly configured.
Inspect the "named.conf" file for the following:
allow-query {trustworthy_hosts;};
allow-recursion {trustworthy_hosts;};
The name of the ACL does not need to be "trustworthy_hosts" but the name should match the ACL name defined earlier in "named.conf" for this purpose. If not, this is a finding.
Verify non-internal IP addresses do not appear in either the referenced ACL (e.g., trustworthy_hosts) or directly in the statements themselves.
If non-internal IP addresses appear, this is a finding.
M
2926