Title

The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation. (Cat II impact)

Discussion

Hosts that run the name server software should not provide any other services. Unnecessary services running on the DNS server can introduce additional attack vectors leading to the compromise of an organization’s DNS architecture.

Check Content

Verify that the BIND 9.x server is dedicated for DNS traffic: With the assistance of the DNS administrator, identify all of the processes running on the BIND 9.x server: # ps -ef | less If any of the identified processes are not in support of normal OS functionality or in support of the BIND 9.x process, this is a finding.

Fix Text

Disable or uninstall all non-DNS related applications from the BIND 9.x server.

Additional Identifiers

Rule ID: SV-207534r879887_rule

Vulnerability ID: V-207534

Group Title: SRG-APP-000516-DNS-000109

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.