Title

The BIND 9.x server implementation must have QNAME minimization set to "strict". (Cat II impact)

Discussion

QNAME minimization limits the amount of information sent in DNS queries to intermediate nameservers, improving privacy by reducing the potential for DNS leak. It modifies the flow of DNS queries to reveal only what is necessary for the current server to find the next one in the resolution chain.

Check Content

Verify QNAME minimization is set to "strict". Inspect the named.conf file for the following: options { qname-minimization strict; If the qname minimization is not set to "strict", this is a finding.

Fix Text

Edit the named.conf file options { qname-minimization strict; }; After making changes, save the named.conf file and restart the BIND service to apply the changes.

Additional Identifiers

Rule ID: SV-275935r1124025_rule

Vulnerability ID: V-275935

Group Title: SRG-APP-000516-DNS-000500

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.