Title

DNS BIND version must be 9.x or later (Cat I impact)

Discussion

Failure to run a version of BIND that has the capability to implement all of the required security features and that does provide services compliant to the DNS RFCs can have a severe impact on the security posture of a DNS infrastructure. Without the required security in place, a DNS implementation is vulnerable to many types of attacks and could be used as a launching point for further attacks on the organizational network that is utilizing the DNS implementation.

Check Content

Verify that the BIND DNS server is at a version that is considered "Current-Stable" by ISC. # named -v The above command should produce a version number similar to the following: BIND 9.9.4-RedHat-9.9.4-29.el7_2.3 If the server is running a version that is not listed as 9.x or higher, this is a finding.

Fix Text

Update the BIND DNS server to version 9.x or higher.

Additional Identifiers

Rule ID: SV-89329r1_rule

Vulnerability ID: V-74655

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.