Title

The host running a BIND 9.x implementation must have DNS cookies enabled. (Cat II impact)

Discussion

DNS cookies can help prevent spoofing and cache poisoning attacks by verifying the identity of both the client and server. They do this by including a cryptographic identifier (the cookie) in DNS messages, which can be verified in future messages. This makes it difficult for an attacker to learn the cookie values and thus spoof them.

Check Content

Verify answer-cookie is enabled. Inspect the named.conf file for the following: options { answer-cookie yes; If answer-cookie is missing or set to "no", this is a finding.

Fix Text

Edit the named.conf file: options { answer-cookie yes; }; After making changes, save the named.conf file and restart the BIND service to apply the changes.

Additional Identifiers

Rule ID: SV-275938r1123968_rule

Vulnerability ID: V-275938

Group Title: SRG-APP-000516-DNS-000109

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.