An error occurred:

Check: BIND-9X-001220

BIND 9.x STIG: BIND-9X-001220 (in version v3 r0.1)

Title

On a BIND 9.x server for zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts. (Cat II impact)

Discussion

Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. External clients need to receive RRs that pertain only to public services (public web server, mail server, etc.). Internal clients need to receive RRs pertaining to public services as well as internal hosts. The zone information that serves the RRs on both the inside and the outside of a firewall should be split into different physical files for these two types of clients (one file for external clients and one file for internal clients).

Check Content

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the BIND 9.x server is configured to use separate views and address space for internal and external DNS operations when operating in a split configuration. Inspect the "named.conf" file for the following: view "internal" { match-clients { <ip_address> | <address_match_list> }; zone "example.com" { type Primary; file "internals.example.com"; }; }; view "external" { match-clients { <ip_address> | <address_match_list> }; zone "example.com" { type Primary; file "externals.db.example.com"; allow-transfer { Secondarys; }; }; }; If the internal and external view statements are configured to use the same zone file, this is a finding. Inspect the zone file defined in the internal and external view statements. If any resource record is listed in both the internal and external zone files, this is a finding.

Fix Text

Edit the "named.conf" file. Configure the internal and external view statements to use separate zone files. Edit the internal and external zone files. Configure the zone file to use RRs designated for internal or external use. The zone files should not share any RR.

Additional Identifiers

Rule ID: SV-272379r1067976_rule

Vulnerability ID: V-272379

Group Title: SRG-APP-000516-DNS-000091

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings