STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.

DISA Rule

SV-207597r612253_rule

Vulnerability Number

V-207597

Group Title

SRG-APP-000516-DNS-000102

Rule Version

BIND-9X-001620

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the local root zone file.

Remove any reference to a domain that is outside of the name server’s primary domain.

Restart the BIND 9.x process.

Check Contents

If this is an authoritative name server, this is Not Applicable.

Identify the local root zone file in named.conf:

zone "." IN {
type hint;
file "<file_name>"
};

Examine the local root zone file.

If the local root zone file lists domains outside of the name server’s primary domain, this is a finding.

Vulnerability Number

V-207597

Documentable

False

Rule Version

BIND-9X-001620

Severity Override Guidance

If this is an authoritative name server, this is Not Applicable.

Identify the local root zone file in named.conf:

zone "." IN {
type hint;
file "<file_name>"
};

Examine the local root zone file.

If the local root zone file lists domains outside of the name server’s primary domain, this is a finding.

Check Content Reference

M

Target Key

2926

Comments