An error occurred:

Check: DNS0460

BIND DNS STIG: DNS0460 (in version v4 r1.2)

Title

A zone master server does not limit zone transfers to a list of active slave name servers authoritative for that zone. (Cat II impact)

Discussion

The risk to the master in this situation, is that it would honor a request from a host that is not an authorized slave, but rather an adversary seeking information about the zone. To protect against this possibility, the master must first have knowledge of what machines are authorized slaves.

Check Content

BIND Instruction: This check is only applicable to zone master servers. If there are no allow-transfer phrases within named.conf, then this is a finding. If there are allow-transfer phrases, then check that there is one corresponding to each of the zone partners. If this is not the case, then this is also a finding. If there are allow-transfer phrases for servers other than those supplied, then there may be a finding associated with the incompleteness of the list. If the key statement references a file, then no other key statement should reference the same file. If the key statement includes a character representation of the key itself (an improper configuration), then no other key statement should include the same character string. On the master name server, this is an example of a configured allow-transfer phrase: zone “disa.mil” { type master; file “db.disa.mil”; allow-transfer {10.10.10.1; key ns1.kalamazoo.disa.mil_ns2.kalamazoo.disa.mil.; }; }; Windows 2000/2003 DNS This check only applies for Windows DNS zones not integrated with active directory. From the DNS management console snap-in, expand the Forward Lookup zones branch, select the zone you want to configure and right click and select Properties. Select the Zone Transfer tab. If “Allow zone transfers:” is checked, “Only to the following servers” must also be checked. The reviewer must validate the name servers listed. If this is not the case, then this is a finding

Fix Text

The DNS software administrator should configure each zone master server to limit zone transfers to a list of active slaves authoritative for that zone. Configuration details may be found in the DNS STIG Section 4.2.8.

Additional Identifiers

Rule ID: SV-4483r2_rule

Vulnerability ID: V-4483

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check