STIGQter: STIG Summary: BIND 9.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government.

DISA Rule

SV-207601r612253_rule

Vulnerability Number

V-207601

Group Title

SRG-APP-000516-DNS-000500

Rule Version

BIND-9X-001702

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the BIND 9.x caching name server to utilize the DISA ERS anycast IP addresses.

Edit the "named.conf" file and add the following to the global options statement:

forward only;
forwarders { <IP_ADDRESS_LIST>; };

Note: "<IP_ADDRESS_LIST>" should be replaced with the current ERS IP addresses.

Restart the BIND 9.x process.

Check Contents

If the server is not a caching server, this is Not Applicable.

Note: The use of the DREN Enterprise Recursive DNS (Domain Name System) servers, as mandated by the DoDIN service provider Defense Research and Engineering Network (DREN), meets the intent of this requirement.

Verify that the server is configured to forward all DNS traffic to the DISA Enterprise Recursive Service (ERS) anycast IP addresses ( <IP_ADDRESS_LIST>; ):

Inspect the "named.conf" file for the following:

forward only;
forwarders { <IP_ADDRESS_LIST>; };

If the "named.conf" options are not set to forward queries only to the ERS anycast IPs, this is a finding.

Note: "<IP_ADDRESS_LIST>" should be replaced with the current ERS IP addresses.

The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments