STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On a BIND 9.x server all authoritative name servers for a zone must be located on different network segments.

DISA Rule

SV-207595r612253_rule

Vulnerability Number

V-207595

Group Title

SRG-APP-000516-DNS-000087

Rule Version

BIND-9X-001612

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the zone file and configure each name server on a separate network segment.

Check Contents

Verify that each name server listed on the BIND 9.x server is on a separate network segment.

Inspect the "named.conf" file and identify all of the zone files that the BIND 9.x server is using.

zone "example.com" {
file "zone_file";
};

Inspect each zone file and identify each A record for each NS record listed:

ns1.example.com 86400 IN A 192.168.1.4
ns2.example.com 86400 IN A 192.168.2.4

If there are name servers listed in the zone file that are not on different network segments for the specified domain, this is a finding.

Vulnerability Number

V-207595

Documentable

False

Rule Version

BIND-9X-001612

Severity Override Guidance

Verify that each name server listed on the BIND 9.x server is on a separate network segment.

Inspect the "named.conf" file and identify all of the zone files that the BIND 9.x server is using.

zone "example.com" {
file "zone_file";
};

Inspect each zone file and identify each A record for each NS record listed:

ns1.example.com 86400 IN A 192.168.1.4
ns2.example.com 86400 IN A 192.168.2.4

If there are name servers listed in the zone file that are not on different network segments for the specified domain, this is a finding.

Check Content Reference

M

Target Key

2926

Comments