The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207536	BIND-9X-001004	SV-207536r879887_rule		Medium

Description
Configuring hosts that run a BIND 9.X implementation to only accept DNS traffic on a DNS interface allows a system firewall to be configured to limit the allowed incoming ports/protocols to 53/tcp and 53/udp. Sending outgoing DNS messages from a random port minimizes the risk of an attacker guessing the outgoing message port and sending forged replies. The TCP/IP stack in DNS hosts (stub resolver, caching/resolving/recursive name server, authoritative name server, etc.) could be subjected to packet flooding attacks (such as SYNC and smurf), resulting in disruption of communication. By implementing a specific set of firewall rules that limit accepted traffic to the interface, these risk of packet flooding and other TCP/IP based attacks is reduced.

Description

Configuring hosts that run a BIND 9.X implementation to only accept DNS traffic on a DNS interface allows a system firewall to be configured to limit the allowed incoming ports/protocols to 53/tcp and 53/udp. Sending outgoing DNS messages from a random port minimizes the risk of an attacker guessing the outgoing message port and sending forged replies. The TCP/IP stack in DNS hosts (stub resolver, caching/resolving/recursive name server, authoritative name server, etc.) could be subjected to packet flooding attacks (such as SYNC and smurf), resulting in disruption of communication. By implementing a specific set of firewall rules that limit accepted traffic to the interface, these risk of packet flooding and other TCP/IP based attacks is reduced.

STIG	Date
BIND 9.x Security Technical Implementation Guide	2024-02-15

Details

Check Text ( C-7791r283662_chk )
With the assistance of the DNS administrator, verify that the OS firewall is configured to only allow incoming messages on ports 53/tcp and 53/udp. Note: The following rules are for the IPTables firewall. If the system is utilizing a different firewall, the rules may be different. Inspect the hosts firewall rules for the following rules: -A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT -A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT -A INPUT -i [DNS Interface] -j DROP If any of the above rules do not exist, this is a finding. If there are rules listed that allow traffic on ports other than 53/tcp and 53/udp, this is a finding.

Check Text ( C-7791r283662_chk )

With the assistance of the DNS administrator, verify that the OS firewall is configured to only allow incoming messages on ports 53/tcp and 53/udp.

Note: The following rules are for the IPTables firewall. If the system is utilizing a different firewall, the rules may be different.

Inspect the hosts firewall rules for the following rules:

-A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT
-A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT
-A INPUT -i [DNS Interface] -j DROP

If any of the above rules do not exist, this is a finding.

If there are rules listed that allow traffic on ports other than 53/tcp and 53/udp, this is a finding.

Fix Text (F-7791r283663_fix)
Configure the OS firewall to only allow incoming DNS traffic on ports 53/tcp and 53/udp. Add the following rules to the host firewall rule set: # iptables -A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT # iptables -A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT # iptables -A INPUT -i [DNS Interface] -j DROP Note: If the system is not using an IPTables firewall, the appropriate firewall rules that limit traffic to ports 53/tcp and 53/udp should be configured on the active firewall.

Fix Text (F-7791r283663_fix)

Configure the OS firewall to only allow incoming DNS traffic on ports 53/tcp and 53/udp.
Add the following rules to the host firewall rule set:

# iptables -A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT
# iptables -A INPUT -i [DNS Interface] -j DROP

Note: If the system is not using an IPTables firewall, the appropriate firewall rules that limit traffic to ports 53/tcp and 53/udp should be configured on the active firewall.