An error occurred:

Check: BIND-9X-002480

BIND 9.x STIG: BIND-9X-002480 (in version v3 r1)

Title

The BIND 9.x server implementation must limit the number of allowed dynamic update clients. (Cat II impact)

Discussion

Limiting the number of concurrent sessions reduces the risk of denial of service (DoS) to the DNS implementation. Name servers do not have direct user connections but accept client connections for queries. Original restriction on client connections should be high enough to prevent a self-imposed denial of service, after which the connections are monitored and fine-tuned to best meet the organization's specific requirements. Primary name servers also make outbound connections to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to be made only to designated secondary name servers. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the primary zone server and result in DoS to legitimate users. Primary name servers should be configured to limit the hosts from which they will accept dynamic updates. Additionally, the number of concurrent clients, especially TCP clients, must be kept to a level that does not risk placing the system in a DoS state.

Check Content

Verify the update-quota option is present and set to an organization defined limit. Inspect the named.conf file for the following options { ... update-quota <integer>; ... }; If update-quota option is missing or limit not set, this is a finding.

Fix Text

Edit the named.conf file options { ... update-quota <integer>; ... }; After making changes, save the named.conf file and restart the BIND service to apply the changes.

Additional Identifiers

Rule ID: SV-275939r1123971_rule

Vulnerability ID: V-275939

Group Title: SRG-APP-000516-DNS-000109

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000054

Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-10

Concurrent Session Control