| 1.1 Use a Split-Horizon Architecture | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2 Do Not Install a Multi-Use System - chkconfig | CONFIGURATION MANAGEMENT |
| 1.2 Do Not Install a Multi-Use System - systemctl | CONFIGURATION MANAGEMENT |
| 1.3 Dedicated Name Server Role | CONFIGURATION MANAGEMENT |
| 1.5 Installing ISC BIND 9 - bind9 installation | CONFIGURATION MANAGEMENT |
| 1.5 Installing ISC BIND 9 - named location | CONFIGURATION MANAGEMENT |
| 2.1 Run BIND as a non-root User - process -u named | ACCESS CONTROL |
| 2.1 Run BIND as a non-root User - UID | ACCESS CONTROL |
| 2.2 Give the BIND User Account an Invalid Shell | ACCESS CONTROL |
| 2.3 Lock the BIND User Account | ACCESS CONTROL |
| 2.4 Set root Ownership of BIND Directories | ACCESS CONTROL |
| 2.5 Set root Ownership of BIND Configuration Files | ACCESS CONTROL |
| 2.6 Set Group named or root for BIND Directories and Files | ACCESS CONTROL |
| 2.7 Set Group Read-Only for BIND Files and Non-Runtime Directories - directories | ACCESS CONTROL |
| 2.7 Set Group Read-Only for BIND Files and Non-Runtime Directories - files | ACCESS CONTROL |
| 2.8 Set Other Permissions Read-Only for All BIND Directories and Files - directories | ACCESS CONTROL |
| 2.8 Set Other Permissions Read-Only for All BIND Directories and Files - files | ACCESS CONTROL |
| 3.1 Ignore Erroneous or Unwanted Queries - Link local addresses | CONFIGURATION MANAGEMENT |
| 3.1 Ignore Erroneous or Unwanted Queries - Multicast addresses | CONFIGURATION MANAGEMENT |
| 3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addresses | CONFIGURATION MANAGEMENT |
| 3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addresses | CONFIGURATION MANAGEMENT |
| 3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addresses | CONFIGURATION MANAGEMENT |
| 3.2 Restrict Recursive Queries - Caching Name Server | SYSTEM AND INFORMATION INTEGRITY |
| 3.3 Restrict Query Origins | ACCESS CONTROL |
| 3.4 Restrict Queries of the Cache - Caching Only | CONFIGURATION MANAGEMENT |
| 4.1 Use TSIG Keys 256 Bits in Length | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2 Include Cryptographic Key Files | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3 Use Unique Keys for Each Pair of Hosts - unique keys | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3 Use Unique Keys for Each Pair of Hosts - unique secret | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4 Restrict Access to All Key Files - group root/named | ACCESS CONTROL |
| 4.4 Restrict Access to All Key Files - permissions | ACCESS CONTROL |
| 4.4 Restrict Access to All Key Files - user root/named | ACCESS CONTROL |
| 4.5 Protect TSIG Key Files During Deployment | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Hide BIND Version String | CONFIGURATION MANAGEMENT |
| 6.2 Hide Nameserver ID | CONFIGURATION MANAGEMENT |
| 7.1 Do Not Define a Static Source Port | SYSTEM AND INFORMATION INTEGRITY |
| 7.2 Enable DNSSEC Validation - dnssec-enable | IDENTIFICATION AND AUTHENTICATION |
| 7.2 Enable DNSSEC Validation - dnssec-validation | IDENTIFICATION AND AUTHENTICATION |
| 7.3 Disable the dnssec-accept-expired Option | ACCESS CONTROL |
| 9.1 Apply Applicable Updates | RISK ASSESSMENT |
| 9.2 Configure a Logging File Channel - category config | AUDIT AND ACCOUNTABILITY |
| 9.2 Configure a Logging File Channel - category dnssec | AUDIT AND ACCOUNTABILITY |
| 9.2 Configure a Logging File Channel - category network | AUDIT AND ACCOUNTABILITY |
| 9.2 Configure a Logging File Channel - category security | AUDIT AND ACCOUNTABILITY |
| 9.2 Configure a Logging File Channel - category update | AUDIT AND ACCOUNTABILITY |
| 9.2 Configure a Logging File Channel - category xfer-in | AUDIT AND ACCOUNTABILITY |
| 9.2 Configure a Logging File Channel - category xfer-out | AUDIT AND ACCOUNTABILITY |
| 9.2 Configure a Logging File Channel - logging section | AUDIT AND ACCOUNTABILITY |
| 9.3 Configure a Logging Syslog Channel | AUDIT AND ACCOUNTABILITY |
| 9.4 Disable the HTTP Statistics Server | SYSTEM AND INFORMATION INTEGRITY |
