Title

A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC. (Cat II impact)

Discussion

The BIND STIG was written to incorporate capabilities and features provided in BIND version 9.9.x. However, security vulnerabilities in BIND are identified and then addressed on a regular, ongoing basis. Therefore, the product must be maintained at the latest stable versions to address vulnerabilities that are subsequently identified and can then be remediated via product updates. Failure to run a version of BIND that has the capability to implement all of the required security features and provide services compliant with the DNS RFCs can have a severe impact on the security posture of a DNS infrastructure. Without the required security in place, a DNS implementation is vulnerable to many types of attacks and could be used as a launching point for further attacks on the organizational network that is using the DNS implementation.

Check Content

Verify that the BIND 9.x server is at a version that is considered "Current-Stable" by ISC or the latest supported version of BIND when BIND is installed as part of a specific vendor implementation where the vendor maintains the BIND patches. # named -v The above command should produce a version number similar to the following: BIND 9.18.36-RedHat-9.9.4-29.el7_2.3 If the server is running a version that is not listed as "Current-Stable" by ISC, this is a finding.

Fix Text

Update the BIND 9.x server to a version that is listed as "Current-Stable" by ISC or the latest supported version of BIND when BIND is installed as part of a specific vendor implementation where the vendor maintains the BIND patches.

Additional Identifiers

Rule ID: SV-272403r1123995_rule

Vulnerability ID: V-272403

Group Title: SRG-APP-000516-DNS-000103

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.