BIND-9X-000001 - A BIND 9.x server implementation must be running in a chroot(ed) directory structure.

800-53|CM-7(5)

CAT|III

CCI|CCI-001090

Rule-ID|SV-86987r1_rule

STIG-ID|BIND-9X-000001

Vuln-ID|V-72363

BIND-9X-001000 - A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC.

800-53|SI-2

CAT|I

CCI|CCI-000366

Rule-ID|SV-86989r2_rule

STIG-ID|BIND-9X-001000

Vuln-ID|V-72365

BIND-9X-001002 - The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation.

800-53|CM-7

CAT|II

Rule-ID|SV-86991r1_rule

STIG-ID|BIND-9X-001002

Vuln-ID|V-72367

BIND-9X-001003 - The BIND 9.x server software must run with restricted privileges.

800-53|AC-6

Rule-ID|SV-86993r1_rule

STIG-ID|BIND-9X-001003

Vuln-ID|V-72369

BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - drop

800-53|SC-7(12)

Rule-ID|SV-86995r1_rule

STIG-ID|BIND-9X-001004

Vuln-ID|V-72371

BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - tcp

BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - udp

BIND-9X-001005 - The host running a BIND 9.x implementation must use a dedicated management interface in order to separate management traffic from DNS specific traffic.

800-53|SC-7(22)

Rule-ID|SV-86997r1_rule

STIG-ID|BIND-9X-001005

Vuln-ID|V-72373

BIND-9X-001006 - The host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic.

Rule-ID|SV-86999r1_rule

STIG-ID|BIND-9X-001006

Vuln-ID|V-72375

BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes - category

800-53|AU-12

CCI|CCI-000133

CCI|CCI-000134

CCI|CCI-000169

CCI|CCI-001294

CCI|CCI-001665

CCI|CCI-001914

Rule-ID|SV-87001r2_rule

STIG-ID|BIND-9X-001010

Vuln-ID|V-72377

BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes - channel

BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes - logging

BIND-9X-001017 - The BIND 9.x server implementation must not be configured with a channel to send audit records to null.

CCI|CCI-001348

Rule-ID|SV-87003r1_rule

STIG-ID|BIND-9X-001017

Vuln-ID|V-72379

BIND-9X-001020 - The BIND 9.x server logging configuration must be configured to generate audit records for all DoD-defined auditable events to a local file by enabling triggers for all events with a severity of info, notice, warning, error, and critical for all DNS components.

Rule-ID|SV-87005r2_rule

STIG-ID|BIND-9X-001020

Vuln-ID|V-72381

BIND-9X-001021 - In the event of an error when validating the binding of other DNS servers identity to the BIND 9.x information, when anomalies in the operation of the signed zone transfers are discovered, for the success and failure of start and stop of the name server service or daemon, and for the success and failure of all name server events, a BIND 9.x server implementation must generate a log entry.

CCI|CCI-000172

CCI|CCI-001906

CCI|CCI-002702

Rule-ID|SV-87007r2_rule

STIG-ID|BIND-9X-001021

Vuln-ID|V-72383

BIND-9X-001030 - The print-severity variable for the configuration of BIND 9.x server logs must be configured to produce audit records containing information to establish what type of events occurred.

CCI|CCI-000130

Rule-ID|SV-87009r1_rule

STIG-ID|BIND-9X-001030

Vuln-ID|V-72385

BIND-9X-001031 - The print-time variable for the configuration of BIND 9.x server logs must be configured to establish when (date and time) the events occurred.

CCI|CCI-000131

Rule-ID|SV-87011r1_rule

STIG-ID|BIND-9X-001031

Vuln-ID|V-72387

BIND-9X-001032 - The print-category variable for the configuration of BIND 9.x server logs must be configured to record information indicating which process generated the events.

CCI|CCI-000132

Rule-ID|SV-87013r1_rule

STIG-ID|BIND-9X-001032

Vuln-ID|V-72389

BIND-9X-001040 - The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog - named syslog

800-53|AU-9(2)

Rule-ID|SV-87015r1_rule

STIG-ID|BIND-9X-001040

Vuln-ID|V-72391

BIND-9X-001040 - The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog - rsyslog/syslog

BIND-9X-001041 - The BIND 9.x server implementation must be configured with a channel to send audit records to a local file.

800-53|AU-11

Rule-ID|SV-87017r1_rule

STIG-ID|BIND-9X-001041

Vuln-ID|V-72393

BIND-9X-001042 - The BIND 9.x server implementation must maintain at least 3 file versions of the local log file.

Rule-ID|SV-87019r1_rule

STIG-ID|BIND-9X-001042

Vuln-ID|V-72395

BIND-9X-001050 - The BIND 9.x secondary name server must limit the number of zones requested from a single master name server.

800-53|SC-5(2)

CCI|CCI-000054

Rule-ID|SV-87021r1_rule

STIG-ID|BIND-9X-001050

Vuln-ID|V-72397

BIND-9X-001051 - The BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time.

Rule-ID|SV-87023r1_rule

STIG-ID|BIND-9X-001051

Vuln-ID|V-72399

BIND-9X-001052 - The BIND 9.x server implementation must limit the number of concurrent session client connections to the number of allowed dynamic update clients.

Rule-ID|SV-87025r1_rule

STIG-ID|BIND-9X-001052

Vuln-ID|V-72401

BIND-9X-001053 - The BIND 9.x server implementation must be configured to use only approved ports and protocols.

800-53|CM-6

CCI|CCI-000382

Rule-ID|SV-87027r1_rule

STIG-ID|BIND-9X-001053

Vuln-ID|V-72403

BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - options allow-query

CCI|CCI-001095

Rule-ID|SV-87029r1_rule

STIG-ID|BIND-9X-001054

Vuln-ID|V-72405

BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - recursion

800-53|SC-20

BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - zone allow-query

800-53|SC-22

BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - allow-recursion

CCI|CCI-001094

Rule-ID|SV-87031r2_rule

STIG-ID|BIND-9X-001055

Vuln-ID|V-72407

BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - options allow-query

BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - recursion

BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - zone allow-query

BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - notify

Rule-ID|SV-87033r3_rule

STIG-ID|BIND-9X-001057

Vuln-ID|V-72409

BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone also-notify

BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone notify explicit

BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - options notify

Rule-ID|SV-87035r2_rule

STIG-ID|BIND-9X-001058

Vuln-ID|V-72411

BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - zone allow-notify

BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - zone notify explicit

BIND-9X-001059 - On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port - listen-on

Rule-ID|SV-87043r1_rule

STIG-ID|BIND-9X-001059

Vuln-ID|V-72419

BIND-9X-001059 - On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port - listen-on-v6

BIND-9X-001060 - A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input - dnssec

CCI|CCI-002754

Rule-ID|SV-87045r3_rule

STIG-ID|BIND-9X-001060

Vuln-ID|V-72421

BIND-9X-001060 - A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input - managed-keys

BIND-9X-001070 - A BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers.

Rule-ID|SV-87047r1_rule

STIG-ID|BIND-9X-001070

Vuln-ID|V-72423

BIND-9X-001080 - A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients - allow-query

Rule-ID|SV-87049r1_rule

STIG-ID|BIND-9X-001080

Vuln-ID|V-72425

BIND-9X-001080 - A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients - allow-recursion

BIND-9X-001100 - The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit - allow-transfer none

CCI|CCI-000778

CCI|CCI-001958

CCI|CCI-001967

CCI|CCI-002039

CCI|CCI-002418

CCI|CCI-002421

Rule-ID|SV-87053r2_rule

STIG-ID|BIND-9X-001100

Vuln-ID|V-72429

BIND-9X-001100 - The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit - master allow-transfer

BIND-9X-001100 - The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit - secondary keys

BIND-9X-001106 - The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions - key

Rule-ID|SV-87055r1_rule

STIG-ID|BIND-9X-001106

Vuln-ID|V-72431

BIND-9X-001106 - The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions - zone keys

BIND-9X-001110 - The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.

800-53|IA-5(2)

CCI|CCI-000186

Rule-ID|SV-87061r1_rule

STIG-ID|BIND-9X-001110

Vuln-ID|V-72437

BIND-9X-001111 - The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.

Rule-ID|SV-87063r1_rule

STIG-ID|BIND-9X-001111

Vuln-ID|V-72439

BIND-9X-001112 - The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

Detections

Analytics

DISA BIND 9.x STIG v1r9

Warning! Audit Deprecated

Audit Details

Audit Changelog

Revision 1.6

Miscellaneous

Revision 1.5

Miscellaneous

Revision 1.4

Miscellaneous

Revision 1.3

Functional Update

Miscellaneous

Revision 1.2

Miscellaneous

Revision 1.1

Miscellaneous