Title

A BIND 9.x implementation operating in a split DNS configuration must be approved by the organization's authorizing official (AO). (Cat II impact)

Discussion

BIND 9.x has implemented an option to use "view" statements to allow for split DNS architecture to be configured on a single name server. If the split DNS architecture is improperly configured, there is a risk that internal IP addresses and host names could leak into the external view of the DNS server. Allowing private IP space to leak into the public DNS system may provide a person with malicious intent the ability to footprint the network and identify potential attack targets residing on the private network.

Check Content

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the split DNS implementation has been approved by the organizations AO. With the assistance of the DNS administrator, obtain the AO's letter of approval for the split DNS implementation. If the split DNS implementation has not been approved by the organizations AO, this is a finding.

Fix Text

Obtain approval for the split DNS implementation from the AO.

Additional Identifiers

Rule ID: SV-272382r1068269_rule

Vulnerability ID: V-272382

Group Title: SRG-APP-000516-DNS-000500

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.