UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72365 BIND-9X-001000 SV-86989r2_rule High
Description
The BIND STIG was written to incorporate capabilities and features provided in BIND version 9.9.x. However, it is recognized that security vulnerabilities in BIND are identified and then addressed on a regular, ongoing basis. Therefore it is required that the product be maintained at the latest stable versions in order to address vulnerabilities that are subsequently identified and can then be remediated via updates to the product. Failure to run a version of BIND that has the capability to implement all of the required security features and that does provide services compliant to the DNS RFCs can have a severe impact on the security posture of a DNS infrastructure. Without the required security in place, a DNS implementation is vulnerable to many types of attacks and could be used as a launching point for further attacks on the organizational network that is utilizing the DNS implementation. Satisfies: SRG-APP-000516-DNS-000097, SRG-APP-000516-DNS-000103
STIG Date
BIND 9.x Security Technical Implementation Guide 2019-12-18

Details

Check Text ( C-72569r2_chk )
Verify that the BIND 9.x server is at a version that is considered "Current-Stable" by ISC or latest supported version of BIND when BIND is installed as part of a specific vendor implementation where the vendor maintains the BIND patches.

# named -v

The above command should produce a version number similar to the following:

BIND 9.9.4-RedHat-9.9.4-29.el7_2.3

If the server is running a version that is not listed as "Current-Stable" by ISC, this is a finding.
Fix Text (F-78721r2_fix)
Update the BIND 9.x server to a version that is listed as “Current-Stable” by ISC or latest supported version of BIND when BIND is installed as part of a specific vendor implementation where the vendor maintains the BIND patches.