Free DISA STIG and SRG Library | Vaulted

V-72513

On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.

Finding ID
BIND-9X-001621
Rule ID
SV-87137r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000516-DNS-000102
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

A potential vulnerability of DNS is that an attacker can poison a name servers cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. The DNS architecture needs to maintain one name server whose zone records are correct and the cache is not poisoned, in this effort the authoritative name server may not forward queries, one of the ways to prevent this, the root hints file is to be deleted. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a non-caching server (as recommended), they can either be configured to return a referral to the root servers or they can be configured to refuse to answer the query. The requirement is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server, and allows it to spend more of its resources doing what its intended purpose is; answering authoritatively for its zone.

Fix Text

Remove the local root zone file from the name server.

Check Content

If this server is a caching name server, this is Not Applicable. Ensure there is not a local root zone on the name server. Inspect the "named.conf" file for the following: zone "." IN { type hint; file "&lt;<file_name>" }; If the file name identified is not empty or does exist, this is a finding.