Title

On the BIND 9.x server the IP address for hidden primary authoritative name servers must not appear in the name servers set in the zone database. (Cat II impact)

Discussion

A hidden primary authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. All of the name servers that do appear in the zone database as designated name servers get their zone data from the hidden primary via a zone transfer request. In effect, all visible name servers are actually secondary servers. This prevents potential attackers from targeting the primary name server because its IP address may not appear in the zone database.

Check Content

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. With the assistance of the DNS administrator, identify if the BIND 9.x implementation is using a hidden primary name server. If it is not, this is Not Applicable. In a split DNS configuration that is using a hidden primary name server, verify that the name server IP address is not listed in the zone file. With the assistance of the DNS administrator, obtain the IP address of the hidden primary name server. Inspect each zone file used by the hidden primary name server and its secondary zones. If the IP address for the hidden primary name server is listed in any of the zone files, this is a finding.

Fix Text

Edit the zone file(s). Remove all references to the hidden primary name server. Restart the BIND 9.x process.

Additional Identifiers

Rule ID: SV-272383r1067988_rule

Vulnerability ID: V-272383

Group Title: SRG-APP-000516-DNS-000108

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.