CIS BIND DNS v3.0.1 Caching Only Name Server

Audit Details

Name: CIS BIND DNS v3.0.1 Caching Only Name Server

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.17

Estimated Item Count: 52

File Details

Filename: CIS_ISC_BIND_DNS_Server_9.9_Benchmark_v3.0.1_CachingOnly.audit

Size: 125 kB

MD5: 46367b61bd775239607dcd6d9aaad5c9
SHA256: a1324784c9fbe0b7b39624aaf376d6b86143281f7e3fb30137ead899f9e1889d

Audit Items

DescriptionCategories
1.1 Use a Split-Horizon Architecture
1.2 Do Not Install a Multi-Use System - chkconfig

CONFIGURATION MANAGEMENT

1.2 Do Not Install a Multi-Use System - systemctl

CONFIGURATION MANAGEMENT

1.3 Dedicated Name Server Role

SYSTEM AND COMMUNICATIONS PROTECTION

1.4 Use Secure Upstream Caching DNS Servers
1.5 Installing ISC BIND 9 - bind9 installation
1.5 Installing ISC BIND 9 - named location

CONFIGURATION MANAGEMENT

2.1 Run BIND as a non-root User - process -u named

ACCESS CONTROL

2.1 Run BIND as a non-root User - UID

ACCESS CONTROL

2.2 Give the BIND User Account an Invalid Shell

ACCESS CONTROL

2.3 Lock the BIND User Account

ACCESS CONTROL

2.4 Set root Ownership of BIND Directories

ACCESS CONTROL

2.5 Set root Ownership of BIND Configuration Files

ACCESS CONTROL

2.6 Set Group named or root for BIND Directories and Files

ACCESS CONTROL

2.7 Set Group and Other Permissions Read-Only for BIND Non-Runtime Directories - 'group' permissions

ACCESS CONTROL

2.7 Set Group and Other Permissions Read-Only for BIND Non-Runtime Directories - 'other' permissions

ACCESS CONTROL

2.8 Set Group and Other Permissions Read-Only for All BIND Files

ACCESS CONTROL

2.9 Isolate BIND with chroot'ed Subdirectory

ACCESS CONTROL

3.1 Ignore Erroneous or Unwanted Queries - Link local addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - Multicast addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 10/8; addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 192.168/16; addresses

SYSTEM AND COMMUNICATIONS PROTECTION

3.2 Restrict Recursive Queries - Caching Name Server

SYSTEM AND COMMUNICATIONS PROTECTION

3.3 Restrict Query Origins
3.4 Restrict Queries of the Cache - Caching Only

SYSTEM AND COMMUNICATIONS PROTECTION

4.1 Use TSIG Keys 256 Bits in Length

SYSTEM AND COMMUNICATIONS PROTECTION

4.2 Include Cryptographic Key Files

CONFIGURATION MANAGEMENT

4.3 Use Unique Keys for Each Pair of Hosts - unique keys

CONFIGURATION MANAGEMENT

4.3 Use Unique Keys for Each Pair of Hosts - unique secret

SYSTEM AND COMMUNICATIONS PROTECTION

4.4 Restrict Access to All Key Files - group root/named

ACCESS CONTROL

4.4 Restrict Access to All Key Files - permissions

ACCESS CONTROL

4.4 Restrict Access to All Key Files - user root/named

ACCESS CONTROL

5.1 Securely Authenticate Zone Transfers

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Hide BIND Version String

SYSTEM AND COMMUNICATIONS PROTECTION

6.2 Hide Nameserver ID

SYSTEM AND COMMUNICATIONS PROTECTION

7.1 Do Not Define a Static Source Port
7.2 Enable DNSSEC Validation - dnssec-enable

SYSTEM AND COMMUNICATIONS PROTECTION

7.2 Enable DNSSEC Validation - dnssec-validation

SYSTEM AND COMMUNICATIONS PROTECTION

7.3 Disable the dnssec-accept-expired Option
8.1 Apply Applicable Updates

SYSTEM AND INFORMATION INTEGRITY

8.2 Configure a Logging File Channel - category config

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category dnssec

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category network

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category security

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category update

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category xfer-in

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - category xfer-out

AUDIT AND ACCOUNTABILITY

8.2 Configure a Logging File Channel - logging section

AUDIT AND ACCOUNTABILITY

8.3 Configure a Logging syslog Channel - syslog

AUDIT AND ACCOUNTABILITY