STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A BIND 9.x server implementation must enforce approved authorizations for controlling the flow of information between authoritative name servers and specified secondary name servers based on DNSSEC policies.

DISA Rule

SV-207591r612253_rule

Vulnerability Number

V-207591

Group Title

SRG-APP-000215-DNS-000003

Rule Version

BIND-9X-001510

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-001663 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

Weight

10

Fix Recommendation

For an authoritative name server:

Configure each zone statement to allow transfers from authorized hosts:

allow-transfer { <ip_address_list>; };

Restart the BIND 9.x process.

For a secondary server:

Configure each zone to deny zone transfer requests:

allow-transfer { none; };

Restart the BIND 9.x process.

Check Contents

On an authoritative name sever, verify that each zone statement defined in the "named.conf" file contains an "allow-transfer" statement.

Inspect the "named.conf" file for the following:

zone example.com {
allow-transfer { <ip_address_list>; };
};

If there is not an "allow-transfer" statement for each zone defined, or the list contains IP addresses that are not authorized for that zone, this is a finding.

On a slave name server, verify that each zone statement defined in the "named.conf" file contains an "allow-transfer" statement.

Inspect the "named.conf" file for the following:

zone example.com {
allow-transfer { none; };
};

If there is not an "allow-transfer" statement, or the statement is not set to "none", this is a finding.

Vulnerability Number

V-207591

Documentable

False

Rule Version

BIND-9X-001510

Severity Override Guidance

On an authoritative name sever, verify that each zone statement defined in the "named.conf" file contains an "allow-transfer" statement.

Inspect the "named.conf" file for the following:

zone example.com {
allow-transfer { <ip_address_list>; };
};

If there is not an "allow-transfer" statement for each zone defined, or the list contains IP addresses that are not authorized for that zone, this is a finding.

On a slave name server, verify that each zone statement defined in the "named.conf" file contains an "allow-transfer" statement.

Inspect the "named.conf" file for the following:

zone example.com {
allow-transfer { none; };
};

If there is not an "allow-transfer" statement, or the statement is not set to "none", this is a finding.

Check Content Reference

M

Target Key

2926

Comments