An error occurred:

Check: BIND-9X-001702

BIND 9.x STIG: BIND-9X-001702 (in version v2 r3)

Title

The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government. (Cat II impact)

Discussion

If remote servers to which DoD DNS servers send queries are controlled by entities outside of the U.S. Government the possibility of a DNS attack is increased. The Enterprise Recursive Service (ERS) provides the ability to apply enterprise-wide policy to all recursive DNS traffic that traverses the NIPRNet-to-Internet boundary. All recursive DNS servers on the NIPRNet must be configured to exclusively forward DNS traffic traversing NIPRNet-to-Internet boundary to the ERS anycast IPs. Organizations need to carefully configure any forwarding that is being used by their caching name servers. They should only configure "forwarding of all queries" to servers within the DoD. Systems configured to use domain-based forwarding should not forward queries for mission critical domains to any servers that are not under the control of the US Government.

Check Content

If the server is not a caching server, this is Not Applicable. This is Not Applicable to SIPR. Note: The use of the DREN Enterprise Recursive DNS (Domain Name System) servers, as mandated by the DoDIN service provider Defense Research and Engineering Network (DREN), meets the intent of this requirement. Verify that the server is configured to forward all DNS traffic to the DISA Enterprise Recursive Service (ERS) anycast IP addresses ( <IP_ADDRESS_LIST>; ): Inspect the "named.conf" file for the following: forward only; forwarders { <IP_ADDRESS_LIST>; }; If the "named.conf" options are not set to forward queries only to the ERS anycast IPs, this is a finding. Note: "<IP_ADDRESS_LIST>" should be replaced with the current ERS IP addresses.

Fix Text

Configure the BIND 9.x caching name server to utilize the DISA ERS anycast IP addresses. Edit the "named.conf" file and add the following to the global options statement: forward only; forwarders { <IP_ADDRESS_LIST>; }; Note: "<IP_ADDRESS_LIST>" should be replaced with the current ERS IP addresses. Restart the BIND 9.x process.

Additional Identifiers

Rule ID: SV-207601r951092_rule

Vulnerability ID: V-207601

Group Title: SRG-APP-000516-DNS-000500

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings