UCF STIG Viewer Logo

BIND DNS



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-4488 High The DNS software does not log, at a minimum, success and failure of starting and stopping of the name server service daemon, zone transfers, zone update notifications, and dynamic updates.
V-4481 High Dynamic updates are not cryptographically authenticated.
V-4482 High The DNS software administrator will configure each master/slave server supporting a zone to cryptographically authenticate zone transfers.
V-4491 High Valid root name servers do not appear in the local root zone file. G and H root servers, at a minimum, do not appear in the local root zone files.
V-24996 High The DNS server will not use a statically configured source port for all DNS query traffic.
V-4470 High The DNS database administrator has not ensured each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
V-14766 High The DNSSEC private key file is not owned by the DNS administrator or the permissions are not set to a minimum of 600.
V-3618 Medium A UNIX or UNIX-based name server is running unnecessary daemon/services and/or is configured to start an unnecessary daemon, service, or program upon boot up.
V-14758 Medium The DNS software administrator will ensure the named.conf options statement does not include the option "listen-on-v6 { any; };” when an IPv6 interface is not configured and enabled.
V-4489 Medium The DNS software administrator has not configured the DNS software to send all log data to either the system logging facility (e.g., UNIX syslog or Windows Application Event Log) or an alternative logging facility with security configuration equivalent to or more restrictive than the system logging facility.
V-4480 Medium A cryptographic key used to secure DNS transactions has been utilized on a name server for more than one year.
V-4483 Medium A zone master server does not limit zone transfers to a list of active slave name servers authoritative for that zone.
V-4485 Medium A name server is not configured to only accept notifications of zone changes from a host authoritative for that zone.
V-4487 Medium A caching name server does not restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.
V-4486 Medium Recursion is not prohibited on an authoritative name server.
V-24997 Medium All DNS caching resolvers (A/K/A “recursive name servers”) will have port and Query ID randomization enabled for all DNS querypackets/frames.
V-3624 Medium The appropriate encryption software is not correctly installed and configured on Windows ISC BIND name servers and it is required that in-band remote management be performed from hosts outside the enclave in which the name server resides.
V-3626 Medium The ownership and permissions on all Windows ISC BIND name servers are not as restrictive as required.
V-3620 Medium Permissions on critical UNIX name server files are not as restrictive as required.
V-3621 Medium ISC BIND is not configured to run as a dedicated non-privileged service user account.
V-12774 Medium The forwarding configuration of DNS servers allows the forwarding of queries to servers controlled by organizations outside of the U.S. Government.
V-4478 Medium The name server’s IP address is NOT statically defined and configured locally on the server. The name server has a DHCP address.
V-4479 Medium An integrity checking tool is not installed or not monitoring for modifications to the root.hints and named.conf files.
V-4473 Medium DNS software does not run on dedicated (running only those services required for DNS) hardware. The only currently accepted exception of this requirement is Windows 2000/2003 DNS, which must run on a domain controller that is integrated with Active Directory services.
V-4511 Medium A BIND name server is not configured to accept control messages only when the control messages are cryptographically authenticated and sent from an explicitly defined list of DNS administrator workstations.
V-14767 Medium DNSSEC is not enabled for signing files between names servers with DNSSEC capabilities.
V-4475 Medium Permissions on files containing DNS encryption keys are inadequate.
V-4476 Medium Users and/or processes other than the DNS software Process ID (PID) and/or the DNS database administrator have edit/write access to the zone database files.
V-12966 Medium Inadequate file permissions on BIND name servers.
V-4477 Medium Users or processes other than the DNS software administrator and the DNS software PID have read access to the DNS software configuration files and/or users other than the DNS software administrator have write access to these files.
V-4494 Medium A TSIG key is not in its own dedicated file.
V-4495 Medium A unique TSIG key is not utilized for communication between name servers sharing zone information.
V-3619 Low It is possible to obtain a command shell by logging on to the DNS user account.
V-14756 Low The DNS administrator will ensure non-routeable IPv6 link-local scope addresses are not configured in any zone. Such addresses begin with the prefixes of “FE8”, “FE9”, “FEA”, or “FEB”.
V-3617 Low BIND is not configured to run as a dedicated non-privileged user account. BIND is running as a root user.
V-12440 Low A unique TSIG key is not generated and utilized for each type of transaction.
V-3622 Low The ISC BIND service user is a member of a group other than Everyone and Authenticated Users.
V-3623 Low The ISC BIND service does not have the appropriate user rights required for the proper configuration and security of ISC BIND.
V-14764 Low The DNSSEC zone signing key size is not at least 1024 bits.
V-14765 Low The DNSSEC zone signing key minimum roll over period is not at least 60 days.
V-14762 Low The DNSSEC key signing key does not have a minimum roll over period of one year.
V-14761 Low The DNSSEC key signing key is not at least 2048 bits.
V-12967 Low The SA has not configured BIND in a chroot(ed) directory structure.
V-14757 Low AAAA addresses are configured on a host that is not IPv6 aware.
V-4492 Low The DNS software administrator has not removed the root hints file on an authoritative name server in order for it to resolve only those records for which it is authoritative, and ensure that all other queries are refused.
V-4493 Low The DNS software administrator has not utilized at least 160 bit HMAC-SHA1 keys if available.
V-4490 Low Entries in the name server logs do not contain timestamps and severity information.
V-4467 Low Record owners will validate their zones no less than annually. The DNS database administrator will remove all zone records that have not been validated in over a year.
V-14760 Low The DNSSEC algorithm for digital signatures is not RSASHA1.
V-14759 Low The DNS administrator, when implementing DNSSEC, will create and maintain separate key-pairs for key signing and zone signing.
V-4469 Low Zone-spanning CNAME records, that point to a zone with lesser security, are active for more than six months.
V-4468 Low Resource records for a host in a zone file are included and their fully qualified domain name resides in another zone. The exception is a glue record or CNAME record supporting a system migration.