STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

On the BIND 9.x server a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.

DISA Rule

SV-207599r612253_rule

Vulnerability Number

V-207599

Group Title

SRG-APP-000516-DNS-000113

Rule Version

BIND-9X-001700

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

In the case of third-party CDNs or cloud offerings, document the mission need with the AO.

Edit the zone file.

Remove any record that points to a different zone, with the exception of approved CDNs or cloud offerings.

Restart the BIND 9.x process.

Check Contents

Verify that the zone files used by the BIND 9.x server do not contain resource records for a domain in which the server is not authoritative.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated.

Inspect the "named.conf" file to identify the zone files, for which the server is authoritative:

zone example.com {
file "db.example.com.signed";
};

Inspect each zone file for which the server is authoritative.

If there are CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms without an AO-approved and documented mission need, this is a finding.

If a zone file contains records that resolve to another zone, excluding the above, this is a finding.

Vulnerability Number

V-207599

Documentable

False

Rule Version

BIND-9X-001700

Severity Override Guidance

Verify that the zone files used by the BIND 9.x server do not contain resource records for a domain in which the server is not authoritative.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated.

Inspect the "named.conf" file to identify the zone files, for which the server is authoritative:

zone example.com {
file "db.example.com.signed";
};

Inspect each zone file for which the server is authoritative.

If there are CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms without an AO-approved and documented mission need, this is a finding.

If a zone file contains records that resolve to another zone, excluding the above, this is a finding.

Check Content Reference

M

Target Key

2926

Comments