UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A BIND name server is not configured to accept control messages only when the control messages are cryptographically authenticated and sent from an explicitly defined list of DNS administrator workstations.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4511 DNS0715 SV-4511r1_rule DCNR-1 Medium
Description
The controls statement and the associated use of the rndc or ndc commands introduces the risk that an adversary could use them to remotely control the name server without having to authenticate to the operating system on which the name server resides.
STIG Date
BIND DNS 2013-01-10

Details

Check Text ( C-3382r1_chk )
If control messages are utilized, there is to be a properly configured keys statement within the controls statement located in the named.conf.

An example of a properly configured controls statement in practice might be:

controls {
inet 127.0.0.1
allow 127.0.0.1
keys { “rndc_key” };
};

If controls messages are utilized and not cryptographically authenticated, then this is a finding.
Fix Text (F-4396r1_fix)
If control messages are utilized, the DNS software administrator should properly configure the allow and keys phrases within the controls statement located in the named.conf to properly authenticate the control messages.

rndc also has its own configuration file, rndc.conf, that has a similar syntax to the named.conf file, but is limited to the options, key, server, and include statements. An example of a minimal configuration is as follows:

key rndc_key {
algorithm hmac-md5;
secret "2njlQNnzn6HTwKLcjStUXg==";
};
options {
default-server localhost;
default-key rndc_key;