CIS BIND DNS v1.0.0 L1 Caching Only Name Server

Audit Details

Name: CIS BIND DNS v1.0.0 L1 Caching Only Name Server

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.8

Estimated Item Count: 51

File Details

Filename: CIS_ISC_BIND_DNS_Server_9.11_Benchmark_v1.0.0_L1_CachingOnly.audit

Size: 120 kB

MD5: d0a54f112da808fe97317b03c18799c6
SHA256: bcdd0e772ec4c184f30678e6145f97acc2dd158025897a27765821544c9b4efe

Audit Items

DescriptionCategories
1.1 Use a Split-Horizon Architecture

SYSTEM AND COMMUNICATIONS PROTECTION

1.2 Do Not Install a Multi-Use System - chkconfig

CONFIGURATION MANAGEMENT

1.2 Do Not Install a Multi-Use System - systemctl

CONFIGURATION MANAGEMENT

1.3 Dedicated Name Server Role

CONFIGURATION MANAGEMENT

1.5 Installing ISC BIND 9 - bind9 installation

CONFIGURATION MANAGEMENT

1.5 Installing ISC BIND 9 - named location

CONFIGURATION MANAGEMENT

2.1 Run BIND as a non-root User - process -u named

ACCESS CONTROL

2.1 Run BIND as a non-root User - UID

ACCESS CONTROL

2.2 Give the BIND User Account an Invalid Shell

ACCESS CONTROL

2.3 Lock the BIND User Account

ACCESS CONTROL

2.4 Set root Ownership of BIND Directories

ACCESS CONTROL

2.5 Set root Ownership of BIND Configuration Files

ACCESS CONTROL

2.6 Set Group named or root for BIND Directories and Files

ACCESS CONTROL

2.7 Set Group Read-Only for BIND Files and Non-Runtime Directories - directories

ACCESS CONTROL

2.7 Set Group Read-Only for BIND Files and Non-Runtime Directories - files

ACCESS CONTROL

2.8 Set Other Permissions Read-Only for All BIND Directories and Files - directories

ACCESS CONTROL

2.8 Set Other Permissions Read-Only for All BIND Directories and Files - files

ACCESS CONTROL

3.1 Ignore Erroneous or Unwanted Queries - Link local addresses

CONFIGURATION MANAGEMENT

3.1 Ignore Erroneous or Unwanted Queries - Multicast addresses

CONFIGURATION MANAGEMENT

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addresses

CONFIGURATION MANAGEMENT

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addresses

CONFIGURATION MANAGEMENT

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addresses

CONFIGURATION MANAGEMENT

3.2 Restrict Recursive Queries - Caching Name Server

SYSTEM AND INFORMATION INTEGRITY

3.3 Restrict Query Origins

ACCESS CONTROL

3.4 Restrict Queries of the Cache - Caching Only

CONFIGURATION MANAGEMENT

4.1 Use TSIG Keys 256 Bits in Length

SYSTEM AND COMMUNICATIONS PROTECTION

4.2 Include Cryptographic Key Files

SYSTEM AND COMMUNICATIONS PROTECTION

4.3 Use Unique Keys for Each Pair of Hosts - unique keys

SYSTEM AND COMMUNICATIONS PROTECTION

4.3 Use Unique Keys for Each Pair of Hosts - unique secret

SYSTEM AND COMMUNICATIONS PROTECTION

4.4 Restrict Access to All Key Files - group root/named

ACCESS CONTROL

4.4 Restrict Access to All Key Files - permissions

ACCESS CONTROL

4.4 Restrict Access to All Key Files - user root/named

ACCESS CONTROL

4.5 Protect TSIG Key Files During Deployment

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Hide BIND Version String

CONFIGURATION MANAGEMENT

6.2 Hide Nameserver ID

CONFIGURATION MANAGEMENT

7.1 Do Not Define a Static Source Port

SYSTEM AND INFORMATION INTEGRITY

7.2 Enable DNSSEC Validation - dnssec-enable

IDENTIFICATION AND AUTHENTICATION

7.2 Enable DNSSEC Validation - dnssec-validation

IDENTIFICATION AND AUTHENTICATION

7.3 Disable the dnssec-accept-expired Option

ACCESS CONTROL

9.1 Apply Applicable Updates

RISK ASSESSMENT

9.2 Configure a Logging File Channel - category config

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category dnssec

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category network

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category security

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category update

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category xfer-in

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category xfer-out

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - logging section

AUDIT AND ACCOUNTABILITY

9.3 Configure a Logging Syslog Channel

AUDIT AND ACCOUNTABILITY

9.4 Disable the HTTP Statistics Server

SYSTEM AND INFORMATION INTEGRITY