6.2 Hide Nameserver ID

Information

The server-id option provides a server identifier that will be returned in response to an NSID query. An NSID query is described in RFC-5001, and is a method to identify servers in an environment where there are multiple DNS servers sharing the same IP address. With the use of load balancing and other IP sharing mechanisms, it can become difficult to discern exactly which name server is responding to a particular query. NSID allows a name server to respond with identifying information. The server-id option should be disabled with a value of none.

Rationale:

Enabling the NSID option may allow external parties to obtain information about the configuration and architecture of the DNS server. If it is found to be necessary to enable this service, then the identifying information should be generic. You should not use the server's geographic location, internal IP address or any other privileged information.

Solution

To explicitly disable NSID support, add or modify the server-id option in the global BIND options with a value of none as shown below.

server-id none;

Default Value:

NSID is disabled by default.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30(5), CSCv6|9

Plugin: Unix

Control ID: 503a0429f66438af94e7c9673a0e921e44c59d574198802357d3d49ec4101742