Check: DNS0715
BIND DNS STIG:
DNS0715
(in version v4 r1.2)
Title
A BIND name server is not configured to accept control messages only when the control messages are cryptographically authenticated and sent from an explicitly defined list of DNS administrator workstations. (Cat II impact)
Discussion
The controls statement and the associated use of the rndc or ndc commands introduces the risk that an adversary could use them to remotely control the name server without having to authenticate to the operating system on which the name server resides.
Check Content
If control messages are utilized, there is to be a properly configured keys statement within the controls statement located in the named.conf. An example of a properly configured controls statement in practice might be: controls { inet 127.0.0.1 allow 127.0.0.1 keys { “rndc_key” }; }; If controls messages are utilized and not cryptographically authenticated, then this is a finding.
Fix Text
If control messages are utilized, the DNS software administrator should properly configure the allow and keys phrases within the controls statement located in the named.conf to properly authenticate the control messages. rndc also has its own configuration file, rndc.conf, that has a similar syntax to the named.conf file, but is limited to the options, key, server, and include statements. An example of a minimal configuration is as follows: key rndc_key { algorithm hmac-md5; secret "2njlQNnzn6HTwKLcjStUXg=="; }; options { default-server localhost; default-key rndc_key;
Additional Identifiers
Rule ID: SV-4511r2_rule
Vulnerability ID: V-4511
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |