Title

The BIND 9.x server implementation must have fetches-per-server enabled. (Cat II impact)

Discussion

The fetches-per-server option in BIND 9.x configures a limit on the number of outstanding requests (fetches) allowed for a single DNS server. This rate-limiting mechanism helps protect the BIND 9.x server from being overwhelmed by excessive requests to a specific server, particularly when that server is slow or unresponsive.

Check Content

Verify fetches-per-server is enabled with an organization-defined number. Inspect the named.conf file for the following: options { fetches-per-server <integer> drop ; If fetches-per-server is not enabled and set to drop, this is a finding.

Fix Text

Modify the BIND configuration file (/etc/named.conf ). Add the fetches-per-server option to the "options" section of the configuration file. fetches-per-server <integer> drop; After making changes, reload or restart BIND to apply the new settings.

Additional Identifiers

Rule ID: SV-275937r1123965_rule

Vulnerability ID: V-275937

Group Title: SRG-APP-000516-DNS-000109

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.