Title

The DNS software administrator will ensure the named.conf options statement does not include the option "listen-on-v6 { any; };” when an IPv6 interface is not configured and enabled. (Cat II impact)

Discussion

To prevent the possibility of a denial of service in relation to an IPv4 DNS server trying to respond to an IPv6 request, the server should be configured not to listen on any of its IPv6 interfaces unless it does contain IPv6 AAAA resource records in one of the zones.

Check Content

BIND on UNIX •Instruction: Examine the named.conf file which usually resides in the /etc directory. Perform the following command to check if IPv6 is enabled for BIND. # grep –c “listen-on-v6” named.conf This will return the number of entries found in the named.conf file. If the number is greater than zero, proceed to check if any IPv6 interfaces are configured. Execute the following to check for IPv6 interfaces. # ifconfig –a BIND on Windows •Instruction: Ask the SA the location of the named.conf. This is configured on the initial installation of ISC BIND. Right click on the file and select open with. Select notepad or wordpad to open the file. Use Ctrl+F and enter “listen-on-v6” at the prompt. If any entries are found, then check for any enabled IPv6 interfaces on the machine. Perform the following to check: -Click Start, click Control Panel, and the double-click Network Connections. -Right-click any local area connection, and then click Properties. -The display will contain, Microsoft TCP/IP Version 6 with a check next to the item if IPv6 is installed..

Fix Text

The DNS administrator should remove the “listen-on-v6” option from the named.conf file if there are no interfaces configured in the operating system for IPv6..

Additional Identifiers

Rule ID: SV-15515r1_rule

Vulnerability ID: V-14758

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.