CIS BIND DNS v1.0.0 L1 Authoritative Name Server

Audit Details

Name: CIS BIND DNS v1.0.0 L1 Authoritative Name Server

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.8

Estimated Item Count: 55

File Details

Filename: CIS_ISC_BIND_DNS_Server_9.11_Benchmark_v1.0.0_L1_Authoritative.audit

Size: 128 kB

MD5: ea890048c93198c41b7350c8ecdf31f0

SHA256: 7a49c24765945fcf8b3e515be8f2165bf05e8d4f7ee2cf54d3d77389a811a40c

Audit Items

Description	Categories
1.1 Use a Split-Horizon Architecture	SYSTEM AND COMMUNICATIONS PROTECTION
1.2 Do Not Install a Multi-Use System - chkconfig	CONFIGURATION MANAGEMENT
1.2 Do Not Install a Multi-Use System - systemctl	CONFIGURATION MANAGEMENT
1.3 Dedicated Name Server Role	CONFIGURATION MANAGEMENT
1.5 Installing ISC BIND 9 - bind9 installation	CONFIGURATION MANAGEMENT
1.5 Installing ISC BIND 9 - named location	CONFIGURATION MANAGEMENT
2.1 Run BIND as a non-root User - process -u named	ACCESS CONTROL
2.1 Run BIND as a non-root User - UID	ACCESS CONTROL
2.2 Give the BIND User Account an Invalid Shell	ACCESS CONTROL
2.3 Lock the BIND User Account	ACCESS CONTROL
2.4 Set root Ownership of BIND Directories	ACCESS CONTROL
2.5 Set root Ownership of BIND Configuration Files	ACCESS CONTROL
2.6 Set Group named or root for BIND Directories and Files	ACCESS CONTROL
2.7 Set Group Read-Only for BIND Files and Non-Runtime Directories - directories	ACCESS CONTROL
2.7 Set Group Read-Only for BIND Files and Non-Runtime Directories - files	ACCESS CONTROL
2.8 Set Other Permissions Read-Only for All BIND Directories and Files - directories	ACCESS CONTROL
2.8 Set Other Permissions Read-Only for All BIND Directories and Files - files	ACCESS CONTROL
3.1 Ignore Erroneous or Unwanted Queries - Link local addresses	CONFIGURATION MANAGEMENT
3.1 Ignore Erroneous or Unwanted Queries - Multicast addresses	CONFIGURATION MANAGEMENT
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addresses	CONFIGURATION MANAGEMENT
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addresses	CONFIGURATION MANAGEMENT
3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addresses	CONFIGURATION MANAGEMENT
3.2 Restrict Recursive Queries - Authoritative Name Server	SYSTEM AND INFORMATION INTEGRITY
3.3 Restrict Query Origins	ACCESS CONTROL
3.4 Restrict Queries of the Cache - Authoritative Only	CONFIGURATION MANAGEMENT
4.1 Use TSIG Keys 256 Bits in Length	SYSTEM AND COMMUNICATIONS PROTECTION
4.2 Include Cryptographic Key Files	SYSTEM AND COMMUNICATIONS PROTECTION
4.3 Use Unique Keys for Each Pair of Hosts - unique keys	SYSTEM AND COMMUNICATIONS PROTECTION
4.3 Use Unique Keys for Each Pair of Hosts - unique secret	SYSTEM AND COMMUNICATIONS PROTECTION
4.4 Restrict Access to All Key Files - group root/named	ACCESS CONTROL
4.4 Restrict Access to All Key Files - permissions	ACCESS CONTROL
4.4 Restrict Access to All Key Files - user root/named	ACCESS CONTROL
4.5 Protect TSIG Key Files During Deployment	SYSTEM AND COMMUNICATIONS PROTECTION
5.2 Securely Authenticate Dynamic Updates - allow-update none or localhost	IDENTIFICATION AND AUTHENTICATION
5.2 Securely Authenticate Dynamic Updates - update-policy grant or local	IDENTIFICATION AND AUTHENTICATION
5.3 Securely Authenticate Update Forwarding	IDENTIFICATION AND AUTHENTICATION
6.1 Hide BIND Version String	CONFIGURATION MANAGEMENT
6.2 Hide Nameserver ID	CONFIGURATION MANAGEMENT
7.1 Do Not Define a Static Source Port	SYSTEM AND INFORMATION INTEGRITY
7.2 Enable DNSSEC Validation - reject	IDENTIFICATION AND AUTHENTICATION
7.2 Enable DNSSEC Validation - trust	IDENTIFICATION AND AUTHENTICATION
7.3 Disable the dnssec-accept-expired Option	ACCESS CONTROL
9.1 Apply Applicable Updates	RISK ASSESSMENT
9.2 Configure a Logging File Channel - category config	AUDIT AND ACCOUNTABILITY
9.2 Configure a Logging File Channel - category dnssec	AUDIT AND ACCOUNTABILITY
9.2 Configure a Logging File Channel - category network	AUDIT AND ACCOUNTABILITY
9.2 Configure a Logging File Channel - category security	AUDIT AND ACCOUNTABILITY
9.2 Configure a Logging File Channel - category update	AUDIT AND ACCOUNTABILITY
9.2 Configure a Logging File Channel - category xfer-in	AUDIT AND ACCOUNTABILITY
9.2 Configure a Logging File Channel - category xfer-out	AUDIT AND ACCOUNTABILITY

Detections

Analytics

CIS BIND DNS v1.0.0 L1 Authoritative Name Server

Audit Details

File Details

Audit Items