CIS BIND DNS v1.0.0 L1 Authoritative Name Server

Audit Details

Name: CIS BIND DNS v1.0.0 L1 Authoritative Name Server

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.3

Estimated Item Count: 55

File Details

Filename: CIS_ISC_BIND_DNS_Server_9.11_Benchmark_v1.0.0_L1_Authoritative.audit

Size: 123 kB

MD5: 1ce5ee084706cbfa7f6f0962715fdab0
SHA256: 43c010ed9657491db85babe60f0e2c55bd6d2cf2c1cb9b763271c03a124b578c

Audit Items

DescriptionCategories
1.1 Use a Split-Horizon Architecture

SYSTEM AND COMMUNICATIONS PROTECTION

1.2 Do Not Install a Multi-Use System - chkconfig

CONFIGURATION MANAGEMENT

1.2 Do Not Install a Multi-Use System - systemctl

CONFIGURATION MANAGEMENT

1.3 Dedicated Name Server Role

CONFIGURATION MANAGEMENT

1.5 Installing ISC BIND 9 - bind9 installation

CONFIGURATION MANAGEMENT

1.5 Installing ISC BIND 9 - named location

CONFIGURATION MANAGEMENT

2.1 Run BIND as a non-root User - process -u named

ACCESS CONTROL

2.1 Run BIND as a non-root User - UID

ACCESS CONTROL

2.2 Give the BIND User Account an Invalid Shell

ACCESS CONTROL

2.3 Lock the BIND User Account

ACCESS CONTROL

2.4 Set root Ownership of BIND Directories

ACCESS CONTROL

2.5 Set root Ownership of BIND Configuration Files

ACCESS CONTROL

2.6 Set Group named or root for BIND Directories and Files

ACCESS CONTROL

2.7 Set Group Read-Only for BIND Files and Non-Runtime Directories - directories

ACCESS CONTROL

2.7 Set Group Read-Only for BIND Files and Non-Runtime Directories - files

ACCESS CONTROL

2.8 Set Other Permissions Read-Only for All BIND Directories and Files - directories

ACCESS CONTROL

2.8 Set Other Permissions Read-Only for All BIND Directories and Files - files

ACCESS CONTROL

3.1 Ignore Erroneous or Unwanted Queries - Link local addresses

CONFIGURATION MANAGEMENT

3.1 Ignore Erroneous or Unwanted Queries - Multicast addresses

CONFIGURATION MANAGEMENT

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addresses

CONFIGURATION MANAGEMENT

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addresses

CONFIGURATION MANAGEMENT

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addresses

CONFIGURATION MANAGEMENT

3.2 Restrict Recursive Queries - Authoritative Name Server

SYSTEM AND INFORMATION INTEGRITY

3.3 Restrict Query Origins

ACCESS CONTROL

3.4 Restrict Queries of the Cache - Authoritative Only

CONFIGURATION MANAGEMENT

4.1 Use TSIG Keys 256 Bits in Length

SYSTEM AND COMMUNICATIONS PROTECTION

4.2 Include Cryptographic Key Files

SYSTEM AND COMMUNICATIONS PROTECTION

4.3 Use Unique Keys for Each Pair of Hosts - unique keys

SYSTEM AND COMMUNICATIONS PROTECTION

4.3 Use Unique Keys for Each Pair of Hosts - unique secret

SYSTEM AND COMMUNICATIONS PROTECTION

4.4 Restrict Access to All Key Files - group root/named

ACCESS CONTROL

4.4 Restrict Access to All Key Files - permissions

ACCESS CONTROL

4.4 Restrict Access to All Key Files - user root/named

ACCESS CONTROL

4.5 Protect TSIG Key Files During Deployment

SYSTEM AND COMMUNICATIONS PROTECTION

5.2 Securely Authenticate Dynamic Updates - allow-update none or localhost

IDENTIFICATION AND AUTHENTICATION

5.2 Securely Authenticate Dynamic Updates - update-policy grant or local

IDENTIFICATION AND AUTHENTICATION

5.3 Securely Authenticate Update Forwarding

IDENTIFICATION AND AUTHENTICATION

6.1 Hide BIND Version String

CONFIGURATION MANAGEMENT

6.2 Hide Nameserver ID

CONFIGURATION MANAGEMENT

7.1 Do Not Define a Static Source Port

SYSTEM AND INFORMATION INTEGRITY

7.2 Enable DNSSEC Validation - reject

IDENTIFICATION AND AUTHENTICATION

7.2 Enable DNSSEC Validation - trust

IDENTIFICATION AND AUTHENTICATION

7.3 Disable the dnssec-accept-expired Option

ACCESS CONTROL

9.1 Apply Applicable Updates

RISK ASSESSMENT

9.2 Configure a Logging File Channel - category config

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category dnssec

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category network

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category security

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category update

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category xfer-in

AUDIT AND ACCOUNTABILITY

9.2 Configure a Logging File Channel - category xfer-out

AUDIT AND ACCOUNTABILITY