STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.

DISA Rule

SV-207584r612253_rule

Vulnerability Number

V-207584

Group Title

SRG-APP-000516-DNS-000092

Rule Version

BIND-9X-001401

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the "named.conf" file.

Configure the external view statement to server external hosts only:

view "external" {
match-clients { <ip_address> | <address_match_list>; };
};

Restart the BIND 9.x process.

Check Contents

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable.

Verify that the external view of the BIND 9.x server is configured to only serve external hosts.

Inspect the "named.conf" file for the following:

view "external" {
match-clients { <ip_address> | <address_match_list>; };
};

If the "match-clients" sub statement does not limit the external view to external hosts only, this is a finding.

Vulnerability Number

V-207584

Documentable

False

Rule Version

BIND-9X-001401

Severity Override Guidance

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable.

Verify that the external view of the BIND 9.x server is configured to only serve external hosts.

Inspect the "named.conf" file for the following:

view "external" {
match-clients { <ip_address> | <address_match_list>; };
};

If the "match-clients" sub statement does not limit the external view to external hosts only, this is a finding.

Check Content Reference

M

Target Key

2926

Comments