CIS BIND DNS v3.0.1 Authoritative Name Server

Audit Details

Name: CIS BIND DNS v3.0.1 Authoritative Name Server

Updated: 4/12/2023

Authority: CIS

Plugin: Unix

Revision: 1.16

Estimated Item Count: 52

File Details

Filename: CIS_ISC_BIND_DNS_Server_9.9_Benchmark_v3.0.1_Authoritative.audit

Size: 132 kB

MD5: d12973de3b6295739779f5e852c14e7b
SHA256: d4e2f6f18231a0708d9287110b2a6befdc84fa6893593ab2ebf91b2c78b55381

Audit Items

DescriptionCategories
1.1 Use a Split-Horizon Architecture
1.2 Do Not Install a Multi-Use System - chkconfig

CONFIGURATION MANAGEMENT

1.2 Do Not Install a Multi-Use System - systemctl

CONFIGURATION MANAGEMENT

1.3 Dedicated Name Server Role

SYSTEM AND COMMUNICATIONS PROTECTION

1.5 Installing ISC BIND 9 - bind9 installation
1.5 Installing ISC BIND 9 - named location

CONFIGURATION MANAGEMENT

2.1 Run BIND as a non-root User - process -u named

ACCESS CONTROL

2.1 Run BIND as a non-root User - UID

ACCESS CONTROL

2.2 Give the BIND User Account an Invalid Shell

ACCESS CONTROL

2.3 Lock the BIND User Account

ACCESS CONTROL

2.4 Set root Ownership of BIND Directories

ACCESS CONTROL

2.5 Set root Ownership of BIND Configuration Files

ACCESS CONTROL

2.6 Set Group named or root for BIND Directories and Files

ACCESS CONTROL

2.7 Set Group and Other Permissions Read-Only for BIND Non-Runtime Directories - 'group' permissions

ACCESS CONTROL

2.7 Set Group and Other Permissions Read-Only for BIND Non-Runtime Directories - 'other' permissions

ACCESS CONTROL

2.8 Set Group and Other Permissions Read-Only for All BIND Files

ACCESS CONTROL

2.9 Isolate BIND with chroot'ed Subdirectory

ACCESS CONTROL

3.1 Ignore Erroneous or Unwanted Queries - Link local addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - Multicast addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.2 Restrict Recursive Queries - Authoritative Name Server

SYSTEM AND COMMUNICATIONS PROTECTION

3.3 Restrict Query Origins

SYSTEM AND COMMUNICATIONS PROTECTION

3.4 Restrict Queries of the Cache - Authoritative Only

SYSTEM AND COMMUNICATIONS PROTECTION

4.1 Use TSIG Keys 256 Bits in Length

SYSTEM AND COMMUNICATIONS PROTECTION

4.2 Include Cryptographic Key Files

CONFIGURATION MANAGEMENT

4.3 Use Unique Keys for Each Pair of Hosts - unique keys

CONFIGURATION MANAGEMENT

4.3 Use Unique Keys for Each Pair of Hosts - unique secret

SYSTEM AND COMMUNICATIONS PROTECTION

4.4 Restrict Access to All Key Files - group root/named

ACCESS CONTROL

4.4 Restrict Access to All Key Files - permissions

ACCESS CONTROL

4.4 Restrict Access to All Key Files - user root/named

ACCESS CONTROL

4.5 Protect TSIG Key Files During Deployment
5.1 Securely Authenticate Zone Transfers

SYSTEM AND COMMUNICATIONS PROTECTION

5.2 Securely Authenticate Dynamic Updates - allow-update none or localhost

SYSTEM AND COMMUNICATIONS PROTECTION

5.2 Securely Authenticate Dynamic Updates - update-policy grant or local

SYSTEM AND COMMUNICATIONS PROTECTION

5.3 Securely Authenticate Update Forwarding

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Hide BIND Version String

SYSTEM AND COMMUNICATIONS PROTECTION

6.2 Hide Nameserver ID

SYSTEM AND COMMUNICATIONS PROTECTION

7.1 Do Not Define a Static Source Port
8.1 Apply Applicable Updates

SYSTEM AND INFORMATION INTEGRITY

8.2 Configure a Logging File Channel - category config

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category dnssec

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category network

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category security

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category update

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category xfer-in

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category xfer-out

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - logging section

AUDIT AND ACCOUNTABILITY

8.3 Configure a Logging syslog Channel - syslog

AUDIT AND ACCOUNTABILITY