Title

A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC. (Cat II impact)

Discussion

Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. These vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. It makes good business sense to run the latest version of name server software because theoretically it is the safest version. Even if the software is the latest version, it is not safe to run it in default mode. The security administrator should always configure the software to run in the recommended secure mode of operation after becoming familiar with the new security settings for the latest version.

Check Content

Verify that the BIND 9.x server is at a version that is considered "Current-Stable" by ISC or latest supported version of BIND when BIND is installed as part of a specific vendor implementation where the vendor maintains the BIND patches. # named -v The above command should produce a version number similar to the following: BIND 9.9.4-RedHat-9.9.4-29.el7_2.3 If the server is running a version that is not listed as "Current-Stable" by ISC, this is a finding.

Fix Text

Update the BIND 9.x server to a version that is listed as "Current-Stable" by ISC or the latest supported version of BIND when BIND is installed as part of a specific vendor implementation where the vendor maintains the BIND patches.

Additional Identifiers

Rule ID: SV-272403r1068048_rule

Vulnerability ID: V-272403

Group Title: SRG-APP-000516-DNS-000103

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.