The DNS Name Server software must be configured to refuse queries for its version information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000516-DNS-000104	SRG-APP-000516-DNS-000104	SRG-APP-000516-DNS-000104_rule		Medium

Description
Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. Of course, these vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. Thus, it makes good business sense to run the latest version of name server software because theoretically it is the safest version. Even if the software is the latest version, it is not safe to run it in default mode. The security administrator should always configure the software to run in the recommended secure mode of operation after becoming familiar with the new security settings for the latest version. In some installations, it may not be possible to switch over to the latest version of name server software immediately. In these situations, the administrator should keep pace with vulnerabilities identified in the operational version and associated security patches To prevent information about which version of name server software is running on a system and so as to not provide attackers the knowledge of which exploits the name server is vulnerable to, the name server should refuse queries for its DNS software version.

Description

Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. Of course, these vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. Thus, it makes good business sense to run the latest version of name server software because theoretically it is the safest version. Even if the software is the latest version, it is not safe to run it in default mode. The security administrator should always configure the software to run in the recommended secure mode of operation after becoming familiar with the new security settings for the latest version. In some installations, it may not be possible to switch over to the latest version of name server software immediately. In these situations, the administrator should keep pace with vulnerabilities identified in the operational version and associated security patches To prevent information about which version of name server software is running on a system and so as to not provide attackers the knowledge of which exploits the name server is vulnerable to, the name server should refuse queries for its DNS software version.

STIG	Date
Domain Name System (DNS) Security Requirements Guide	2014-07-11

Details

Check Text ( C-SRG-APP-000516-DNS-000104_chk )
Review the DNS configuration files. Verify the DNS name server is explicitly configured to refuse queries asking for its version information. If the name server is not configured to explicitly refuse queries asking for its version information, this is a finding.

Fix Text (F-SRG-APP-000516-DNS-000104_fix)
Configure the name server to refuse queries for its version information.