An error occurred:

Check: BIND-9X-001230

BIND 9.x STIG: BIND-9X-001230 (in version v3 r0.1)

Title

On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. (Cat II impact)

Discussion

Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ. These would be the only name servers that are accessible to external clients and would serve RRs pertaining to hosts with public services (web servers that serve external web pages or provide B2C services, mail servers, etc.). The other set, called internal name servers, must be located within the firewall. They should be configured so they are not reachable from outside and therefore provide naming services exclusively to internal clients.

Check Content

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the BIND 9.x server is configured to use the "match-clients" sub statement to limit the reach of the internal view from the external view. Inspect the "named.conf" file for the following: view "internal" { match-clients { <ip_address> | <address_match_list>; }; }; If the "match-clients" sub statement is missing for the internal view, this is a finding. If the "match-clients" sub statement for the internal view does not limit the view to authorized hosts, this is a finding. If any of the IP addresses defined for the "match-clients" substatement in the internal view are assigned to external hosts, this is a finding.

Fix Text

Edit the "named.conf" file. Configure the internal view statement to limit use authorized internal hosts: view "internal" { match-clients { <ip_address> | <address_match_list>; }; }; Remove any IP address that is assigned to an external host from the internal view statement. Restart the BIND 9.x process.

Additional Identifiers

Rule ID: SV-272380r1082248_rule

Vulnerability ID: V-272380

Group Title: SRG-APP-000516-DNS-000093

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings