1.3 Dedicated Name Server Role

Information

A name server may be an authoritative name server for one or more domains for which it is configured to provide information. An authoritative-only name server only answers queries on the domains for which it is configured, and will reject queries for other domains. A caching name server will answer queries any domain. The caching name server gets answers by sending recursive DNS queries to other name servers and then storing the answer in its cache to provide a quicker response to the next query for that name. A caching-only name server is not authoritative for any domain. The BIND DNS names server should be configured to be either a caching-only or an authoritative-only name server, but not both.

Rationale:

DNS name servers are a foundational part of your network architecture and the security of other network services depend on their integrity. It is important to separate the roles of caching and authoritative name servers to minimize functionality and reduce risk for each server. Each name server role faces different threats in addition to direct attacks on the server. For example, the caching name server faces unique threats of malicious replies with bogus answers or over-sized answers intended to deny service. The authoritative name server is a critical part of the infrastructure should not be exposed to these additional attacks.

Solution

Authoritative-Only Name Server:

For the authoritative-only name server add or modify the allow-recursion statement to only include the localhost to as shown below.

options {
. . .
allow-rescursion { local; };

Caching-Only Name Server:

For the caching-only name server remove the non-local zone statements from the configuration file and restart the server.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-22, CSCv6|9

Plugin: Unix

Control ID: 247e7b7af34ce85ae9239dda984d2d3bd204fb24143ebfba141a0248a904dfa7