CIS BIND DNS v3.0.1 Authoritative Name Server

Audit Details

Name: CIS BIND DNS v3.0.1 Authoritative Name Server

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.12

Estimated Item Count: 52

File Details

Filename: CIS_ISC_BIND_DNS_Server_9.9_Benchmark_v3.0.1_Authoritative.audit

Size: 129 kB

MD5: 6db14c7dd46b7489a414fb528dc0c1eb
SHA256: f2b82cd7c6d333e325db56c9b80c8db9e872f01708f5dedc35bced99f95a566b

Audit Items

DescriptionCategories
1.1 Use a Split-Horizon Architecture
1.2 Do Not Install a Multi-Use System - chkconfig

CONFIGURATION MANAGEMENT

1.2 Do Not Install a Multi-Use System - systemctl

CONFIGURATION MANAGEMENT

1.3 Dedicated Name Server Role

SYSTEM AND COMMUNICATIONS PROTECTION

1.5 Installing ISC BIND 9 - bind9 installation
1.5 Installing ISC BIND 9 - named location

CONFIGURATION MANAGEMENT

2.1 Run BIND as a non-root User - process -u named

ACCESS CONTROL

2.1 Run BIND as a non-root User - UID

ACCESS CONTROL

2.2 Give the BIND User Account an Invalid Shell

ACCESS CONTROL

2.3 Lock the BIND User Account

ACCESS CONTROL

2.4 Set root Ownership of BIND Directories

ACCESS CONTROL

2.5 Set root Ownership of BIND Configuration Files

ACCESS CONTROL

2.6 Set Group named or root for BIND Directories and Files

ACCESS CONTROL

2.7 Set Group and Other Permissions Read-Only for BIND Non-Runtime Directories - 'group' permissions

ACCESS CONTROL

2.7 Set Group and Other Permissions Read-Only for BIND Non-Runtime Directories - 'other' permissions

ACCESS CONTROL

2.8 Set Group and Other Permissions Read-Only for All BIND Files

ACCESS CONTROL

2.9 Isolate BIND with chroot'ed Subdirectory

ACCESS CONTROL

3.1 Ignore Erroneous or Unwanted Queries - Link local addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - Multicast addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.2 Restrict Recursive Queries - Authoritative Name Server

SYSTEM AND COMMUNICATIONS PROTECTION

3.3 Restrict Query Origins

SYSTEM AND COMMUNICATIONS PROTECTION

3.4 Restrict Queries of the Cache - Authoritative Only

SYSTEM AND COMMUNICATIONS PROTECTION

4.1 Use TSIG Keys 256 Bits in Length

SYSTEM AND COMMUNICATIONS PROTECTION

4.2 Include Cryptographic Key Files

CONFIGURATION MANAGEMENT

4.3 Use Unique Keys for Each Pair of Hosts - unique keys

CONFIGURATION MANAGEMENT

4.3 Use Unique Keys for Each Pair of Hosts - unique secret

SYSTEM AND COMMUNICATIONS PROTECTION

4.4 Restrict Access to All Key Files - group root/named

ACCESS CONTROL

4.4 Restrict Access to All Key Files - permissions

ACCESS CONTROL

4.4 Restrict Access to All Key Files - user root/named

ACCESS CONTROL

4.5 Protect TSIG Key Files During Deployment
5.1 Securely Authenticate Zone Transfers

SYSTEM AND COMMUNICATIONS PROTECTION

5.2 Securely Authenticate Dynamic Updates - allow-update none or localhost

SYSTEM AND COMMUNICATIONS PROTECTION

5.2 Securely Authenticate Dynamic Updates - update-policy grant or local

SYSTEM AND COMMUNICATIONS PROTECTION

5.3 Securely Authenticate Update Forwarding

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Hide BIND Version String

SYSTEM AND COMMUNICATIONS PROTECTION

6.2 Hide Nameserver ID

SYSTEM AND COMMUNICATIONS PROTECTION

7.1 Do Not Define a Static Source Port
8.1 Apply Applicable Updates

SYSTEM AND INFORMATION INTEGRITY

8.2 Configure a Logging File Channel - category config

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category dnssec

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category network

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category security

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category update

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category xfer-in

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category xfer-out

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - logging section

AUDIT AND ACCOUNTABILITY

8.3 Configure a Logging syslog Channel - syslog

AUDIT AND ACCOUNTABILITY