Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14758 | DNS4620 | SV-15515r2_rule | ECSC-1 | Medium |
Description |
---|
To prevent the possibility of a denial of service in relation to an IPv4 DNS server trying to respond to an IPv6 request, the server should be configured not to listen on any of its IPv6 interfaces unless it does contain IPv6 AAAA resource records in one of the zones. |
STIG | Date |
---|---|
BIND DNS | 2011-01-20 |
Check Text ( C-12981r2_chk ) |
---|
BIND on UNIX •Instruction: Examine the named.conf file which usually resides in the /etc directory. Perform the following command to check if IPv6 is enabled for BIND. # grep –c “listen-on-v6” named.conf This will return the number of entries found in the named.conf file. If the number is greater than zero, proceed to check if any IPv6 interfaces are configured. Execute the following to check for IPv6 interfaces. # ifconfig –a BIND on Windows •Instruction: Ask the SA the location of the named.conf. This is configured on the initial installation of ISC BIND. Right click on the file and select open with. Select notepad or wordpad to open the file. Use Ctrl+F and enter “listen-on-v6” at the prompt. If any entries are found, then check for any enabled IPv6 interfaces on the machine. Perform the following to check: -Click Start, click Control Panel, and the double-click Network Connections. -Right-click any local area connection, and then click Properties. -The display will contain, Microsoft TCP/IP Version 6 with a check next to the item if IPv6 is installed.. |
Fix Text (F-14236r1_fix) |
---|
The DNS administrator should remove the “listen-on-v6” option from the named.conf file if there are no interfaces configured in the operating system for IPv6.. |