Title

A BIND 9.x primary name server must limit the number of concurrent zone transfers between authorized secondary name servers. (Cat II impact)

Discussion

Limiting the number of concurrent sessions reduces the risk of denial of service (DoS) to the DNS implementation. Name servers do not have direct user connections but accept client connections for queries. Original restriction on client connections should be high enough to prevent a self-imposed DoS, after which the connections are monitored and fine-tuned to best meet the organization's specific requirements. Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to only be made to designated secondary name servers. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the primary zone server and result in DoS to legitimate users. Primary name servers should be configured to limit the hosts from which they will accept dynamic updates. Additionally, the number of concurrent clients, especially TCP clients, needs to be kept to a level that does not risk placing the system in a DoS state.

Check Content

If this is not a primary name server, this requirement is Not Applicable. Verify that the name server is configured to limit the number of zone transfers from authorized secondary name servers. Inspect the "named.conf" file for the following: server <ip_address> { transfers 2; }; If each "server" statement does not contain a "transfers" substatement, this is a finding. If the transfers value is greater than three this is a finding.

Fix Text

Edit the "named.conf" file. Add the "transfers" substatement to each "server" statement block. The value of the "transfers" option can be increased to a value no greater than three based on organizational requirements needed to support DNS operations. Restart the BIND 9.x process.

Additional Identifiers

Rule ID: SV-272364r1082285_rule

Vulnerability ID: V-272364

Group Title: SRG-APP-000001-DNS-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.