Title

A BIND 9.x implementation operating in a split DNS configuration must be approved by the organizations Authorizing Official. (Cat I impact)

Discussion

BIND 9.x has implemented an option to use "view" statements to allow for split DNS architecture to be configured on a single name server. If the split DNS architecture is improperly configured there is a risk that internal IP addresses and host names could leak into the external view of the DNS server. Allowing private IP space to leak into the public DNS system may provide a person with malicious intent the ability to footprint your network and identify potential attack targets residing on your private network.

Check Content

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the split DNS implementation has been approved by the organizations Authorizing Official. With the assistance of the DNS administrator, obtain the Authorizing Official’s letter of approval for the split DNS implementation. If the split DNS implementation has not been approved by the organizations Authorizing Official, this is a finding.

Fix Text

Obtain approval for the split DNS implementation from the Authorizing Official.

Additional Identifiers

Rule ID: SV-207588r879887_rule

Vulnerability ID: V-207588

Group Title: SRG-APP-000516-DNS-000500

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.