UCF STIG Viewer Logo

The DNS software administrator will ensure the named.conf options statement does not include the option "listen-on-v6 { any; };” when an IPv6 interface is not configured and enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14758 DNS4620 SV-15515r1_rule ECSC-1 Medium
Description
To prevent the possibility of a denial of service in relation to an IPv4 DNS server trying to respond to an IPv6 request, the server should be configured not to listen on any of its IPv6 interfaces unless it does contain IPv6 AAAA resource records in one of the zones.
STIG Date
BIND DNS STIG 2015-10-01

Details

Check Text ( C-12981r1_chk )
BIND on UNIX
•Instruction: Examine the named.conf file which usually resides in the /etc directory. Perform the following command to check if IPv6 is enabled for BIND.

# grep –c “listen-on-v6” named.conf

This will return the number of entries found in the named.conf file. If the number is greater than zero, proceed to check if any IPv6 interfaces are configured. Execute the following to check for IPv6 interfaces.

# ifconfig –a

BIND on Windows

•Instruction: Ask the SA the location of the named.conf. This is configured on the initial installation of ISC BIND. Right click on the file and select open with. Select notepad or wordpad to open the file. Use Ctrl+F and enter “listen-on-v6” at the prompt. If any entries are found, then check for any enabled IPv6 interfaces on the machine. Perform the following to check:

-Click Start, click Control Panel, and the double-click Network Connections.
-Right-click any local area connection, and then click Properties.
-The display will contain, Microsoft TCP/IP Version 6 with a check next to the item if IPv6 is installed..
Fix Text (F-14236r1_fix)
The DNS administrator should remove the “listen-on-v6” option from the named.conf file if there are no interfaces configured in the operating system for IPv6..