Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-72487 | BIND-9X-001402 | SV-87111r1_rule | Medium |
Description |
---|
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve RRs pertaining to hosts with public services (Web servers that serve external Web pages or provide B2C services, mail servers, etc.) The other set, called internal name servers, is to be located within the firewall and should be configured so they are not reachable from outside and hence provide naming services exclusively to internal clients. |
STIG | Date |
---|---|
BIND 9.x Security Technical Implementation Guide | 2017-05-26 |
Check Text ( C-72689r1_chk ) |
---|
If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the BIND 9.x server is configured to use the "match-clients" sub statement to limit the reach of the internal view from the external view. Inspect the "named.conf" file for the following: view "internal" { match-clients { }; If the "match-clients" sub statement is missing for the internal view, this is a finding. If the "match-clients" sub statement for the internal view does not limit the view to authorized hosts, this is a finding. If any of the IP addresses defined for the "match-clients" sub statement in the internal view are assigned to external hosts, this is a finding. |
Fix Text (F-78843r1_fix) |
---|
Edit the "named.conf" file. Configure the internal view statement to limit use authorized internal hosts: view "internal" { match-clients { }; Remove any IP address that is assigned to an external host from the internal view statement. Restart the BIND 9.x process. |