Title

The BIND 9.x server implementation must have fetches-per-zone enabled. (Cat II impact)

Discussion

The fetches-per-zone option in BIND 9.x is a configuration parameter that controls the maximum number of simultaneous iterative queries a recursive resolver can send to a single authoritative server for a specific domain. This helps protect authoritative servers from being overwhelmed by queries, especially during a denial-of-service (DoS) attack.

Check Content

Verify fetches-per-zone is enabled with an organization-defined number. Inspect the named.conf file for the following: options { fetches-per-zone <integer> drop ; If fetches-per-zone is not enabled and set to drop, this is a finding.

Fix Text

Modify the BIND configuration file (/etc/named.conf ). Add the fetches-per-zone option to the options section of the configuration file: fetches-per-zone <integer> drop; After making changes, reload or restart BIND to apply the new settings.

Additional Identifiers

Rule ID: SV-275936r1124069_rule

Vulnerability ID: V-275936

Group Title: SRG-APP-000516-DNS-000109

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.