Title

On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. (Cat II impact)

Discussion

Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve RRs pertaining to hosts with public services (web servers that serve external web pages or provide B2C services, mail servers, etc.) The other set, called internal name servers, is to be located within the firewall and should be configured so they are not reachable from outside and hence provide naming services exclusively to internal clients.

Check Content

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the external view of the BIND 9.x server is configured to only serve external hosts. Inspect the "named.conf" file for the following: view "external" { match-clients { <ip_address> | <address_match_list>; }; }; If the "match-clients" substatement does not limit the external view to external hosts only, this is a finding.

Fix Text

Edit the "named.conf" file. Configure the external view statement to server external hosts only: view "external" { match-clients { <ip_address> | <address_match_list>; }; }; Restart the BIND 9.x process.

Additional Identifiers

Rule ID: SV-272381r1068944_rule

Vulnerability ID: V-272381

Group Title: SRG-APP-000516-DNS-000092

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.