| 1.1 Use a Split-Horizon Architecture | |
| 1.2 Do Not Install a Multi-Use System - chkconfig | CONFIGURATION MANAGEMENT |
| 1.2 Do Not Install a Multi-Use System - systemctl | CONFIGURATION MANAGEMENT |
| 1.3 Dedicated Name Server Role | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4 Use Secure Upstream Caching DNS Servers | |
| 1.5 Installing ISC BIND 9 - bind9 installation | |
| 1.5 Installing ISC BIND 9 - named location | CONFIGURATION MANAGEMENT |
| 2.1 Run BIND as a non-root User - process -u named | ACCESS CONTROL |
| 2.1 Run BIND as a non-root User - UID | ACCESS CONTROL |
| 2.2 Give the BIND User Account an Invalid Shell | ACCESS CONTROL |
| 2.3 Lock the BIND User Account | ACCESS CONTROL |
| 2.4 Set root Ownership of BIND Directories | ACCESS CONTROL |
| 2.5 Set root Ownership of BIND Configuration Files | ACCESS CONTROL |
| 2.6 Set Group named or root for BIND Directories and Files | ACCESS CONTROL |
| 2.7 Set Group and Other Permissions Read-Only for BIND Non-Runtime Directories - 'group' permissions | ACCESS CONTROL |
| 2.7 Set Group and Other Permissions Read-Only for BIND Non-Runtime Directories - 'other' permissions | ACCESS CONTROL |
| 2.8 Set Group and Other Permissions Read-Only for All BIND Files | ACCESS CONTROL |
| 2.9 Isolate BIND with chroot'ed Subdirectory | ACCESS CONTROL |
| 3.1 Ignore Erroneous or Unwanted Queries - Link local addresses | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ignore Erroneous or Unwanted Queries - Multicast addresses | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addresses | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addresses | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addresses | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Restrict Recursive Queries - Caching Name Server | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Restrict Query Origins | |
| 3.4 Restrict Queries of the Cache - Caching Only | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1 Use TSIG Keys 256 Bits in Length | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2 Include Cryptographic Key Files | CONFIGURATION MANAGEMENT |
| 4.3 Use Unique Keys for Each Pair of Hosts - unique keys | CONFIGURATION MANAGEMENT |
| 4.3 Use Unique Keys for Each Pair of Hosts - unique secret | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4 Restrict Access to All Key Files - group root/named | ACCESS CONTROL |
| 4.4 Restrict Access to All Key Files - permissions | ACCESS CONTROL |
| 4.4 Restrict Access to All Key Files - user root/named | ACCESS CONTROL |
| 5.1 Securely Authenticate Zone Transfers | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Hide BIND Version String | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Hide Nameserver ID | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1 Do Not Define a Static Source Port | |
| 7.2 Enable DNSSEC Validation - dnssec-enable | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Enable DNSSEC Validation - dnssec-validation | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Disable the dnssec-accept-expired Option | |
| 8.1 Apply Applicable Updates | SYSTEM AND INFORMATION INTEGRITY |
| 8.2 Configure a Logging File Channel - category config | AUDIT AND ACCOUNTABILITY |
| 8.2 Configure a Logging File Channel - category dnssec | AUDIT AND ACCOUNTABILITY |
| 8.2 Configure a Logging File Channel - category network | AUDIT AND ACCOUNTABILITY |
| 8.2 Configure a Logging File Channel - category security | AUDIT AND ACCOUNTABILITY |
| 8.2 Configure a Logging File Channel - category update | AUDIT AND ACCOUNTABILITY |
| 8.2 Configure a Logging File Channel - category xfer-in | AUDIT AND ACCOUNTABILITY |
| 8.2 Configure a Logging File Channel - category xfer-out | AUDIT AND ACCOUNTABILITY |
| 8.2 Configure a Logging File Channel - logging section | AUDIT AND ACCOUNTABILITY |
| 8.3 Configure a Logging syslog Channel - syslog | AUDIT AND ACCOUNTABILITY |
