A BIND name server is not configured to accept control messages only when the control messages are cryptographically authenticated and sent from an explicitly defined list of DNS administrator workstations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4511 | DNS0715 | SV-4511r2_rule | DCNR-1 | Medium |
| Description |
|---|
| The controls statement and the associated use of the rndc or ndc commands introduces the risk that an adversary could use them to remotely control the name server without having to authenticate to the operating system on which the name server resides. |
| STIG | Date |
|---|---|
| BIND DNS STIG | 2015-10-01 |
Details
| Check Text ( C-3382r1_chk ) |
|---|
| If control messages are utilized, there is to be a properly configured keys statement within the controls statement located in the named.conf. An example of a properly configured controls statement in practice might be: controls { inet 127.0.0.1 allow 127.0.0.1 keys { “rndc_key” }; }; If controls messages are utilized and not cryptographically authenticated, then this is a finding. |
| Fix Text (F-4396r1_fix) |
|---|
| If control messages are utilized, the DNS software administrator should properly configure the allow and keys phrases within the controls statement located in the named.conf to properly authenticate the control messages. rndc also has its own configuration file, rndc.conf, that has a similar syntax to the named.conf file, but is limited to the options, key, server, and include statements. An example of a minimal configuration is as follows: key rndc_key { algorithm hmac-md5; secret "2njlQNnzn6HTwKLcjStUXg=="; }; options { default-server localhost; default-key rndc_key; |