STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On a BIND 9.x server for zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.

DISA Rule

SV-207583r612253_rule

Vulnerability Number

V-207583

Group Title

SRG-APP-000516-DNS-000091

Rule Version

BIND-9X-001400

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the "named.conf" file.

Configure the internal and external view statements to use separate zone files.

Edit the internal and external zone files.

Configure the zone file to use RRs designated for internal or external use. The zone files should not share any RR.

Check Contents

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable.

Verify that the BIND 9.x server is configured to use separate views and address space for internal and external DNS operations when operating in a split configuration.

Inspect the "named.conf" file for the following:

view "internal" {
match-clients { <ip_address> | <address_match_list> };
zone "example.com" {
type master;
file "internals.example.com";
};
};
view "external" {
match-clients { <ip_address> | <address_match_list> };
zone "example.com" {
type master;
file "externals.db.example.com";
allow-transfer { slaves; };
};
};

If the internal and external view statements are configured to use the same zone file, this is a finding.

Inspect the zone file defined in the internal and external view statements.

If any resource record is listed in both the internal and external zone files, this is a finding.

Vulnerability Number

V-207583

Documentable

False

Rule Version

BIND-9X-001400

Severity Override Guidance

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable.

Verify that the BIND 9.x server is configured to use separate views and address space for internal and external DNS operations when operating in a split configuration.

Inspect the "named.conf" file for the following:

view "internal" {
match-clients { <ip_address> | <address_match_list> };
zone "example.com" {
type master;
file "internals.example.com";
};
};
view "external" {
match-clients { <ip_address> | <address_match_list> };
zone "example.com" {
type master;
file "externals.db.example.com";
allow-transfer { slaves; };
};
};

If the internal and external view statements are configured to use the same zone file, this is a finding.

Inspect the zone file defined in the internal and external view statements.

If any resource record is listed in both the internal and external zone files, this is a finding.

Check Content Reference

M

Target Key

2926

Comments