BIND-9X-000001 - A BIND 9.x server implementation must be running in a chroot(ed) directory structure.

800-53|SC-4

CAT|III

CCI|CCI-001090

Rule-ID|SV-207532r612253_rule

STIG-ID|BIND-9X-000001

STIG-Legacy|SV-86987

STIG-Legacy|V-72363

Vuln-ID|V-207532

BIND-9X-001000 - A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC.

800-53|CM-6b.

CAT|I

CCI|CCI-000366

Rule-ID|SV-207533r612253_rule

STIG-ID|BIND-9X-001000

STIG-Legacy|SV-86989

STIG-Legacy|V-72365

Vuln-ID|V-207533

BIND-9X-001002 - The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation.

CAT|II

Rule-ID|SV-207534r612253_rule

STIG-ID|BIND-9X-001002

STIG-Legacy|SV-86991

STIG-Legacy|V-72367

Vuln-ID|V-207534

BIND-9X-001003 - The BIND 9.x server software must run with restricted privileges.

Rule-ID|SV-207535r612253_rule

STIG-ID|BIND-9X-001003

STIG-Legacy|SV-86993

STIG-Legacy|V-72369

Vuln-ID|V-207535

BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - drop

Rule-ID|SV-207536r612253_rule

STIG-ID|BIND-9X-001004

STIG-Legacy|SV-86995

STIG-Legacy|V-72371

Vuln-ID|V-207536

BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - tcp

BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - udp

BIND-9X-001005 - The host running a BIND 9.x implementation must use a dedicated management interface in order to separate management traffic from DNS specific traffic.

Rule-ID|SV-207537r612253_rule

STIG-ID|BIND-9X-001005

STIG-Legacy|SV-86997

STIG-Legacy|V-72373

Vuln-ID|V-207537

BIND-9X-001006 - The host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic.

Rule-ID|SV-207538r612253_rule

STIG-ID|BIND-9X-001006

STIG-Legacy|SV-86999

STIG-Legacy|V-72375

Vuln-ID|V-207538

BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes - category

800-53|AU-3

800-53|AU-12(3)

800-53|AU-12a.

800-53|SC-24

800-53|SI-6c.

CCI|CCI-000133

CCI|CCI-000134

CCI|CCI-000169

CCI|CCI-001294

CCI|CCI-001665

CCI|CCI-001914

Rule-ID|SV-207539r612253_rule

STIG-ID|BIND-9X-001010

STIG-Legacy|SV-87001

STIG-Legacy|V-72377

Vuln-ID|V-207539

BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes - channel

BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes - logging

BIND-9X-001017 - The BIND 9.x server implementation must not be configured with a channel to send audit records to null.

800-53|AU-9(2)

CCI|CCI-001348

Rule-ID|SV-207540r612253_rule

STIG-ID|BIND-9X-001017

STIG-Legacy|SV-87003

STIG-Legacy|V-72379

Vuln-ID|V-207540

BIND-9X-001020 - The BIND 9.x server logging configuration must be configured to generate audit records for all DoD-defined auditable events to a local file by enabling triggers for all events with a severity of info, notice, warning, error, and critical for all DNS components.

Rule-ID|SV-207541r612253_rule

STIG-ID|BIND-9X-001020

STIG-Legacy|SV-87005

STIG-Legacy|V-72381

Vuln-ID|V-207541

BIND-9X-001021 - In the event of an error when validating the binding of other DNS servers identity to the BIND 9.x information, when anomalies in the operation of the signed zone transfers are discovered, for the success and failure of start and stop of the name server service or daemon, and for the success and failure of all name server events, a BIND 9.x server implementation must generate a log entry.

800-53|AU-10(2)(b)

800-53|AU-12c.

800-53|SI-6d.

CCI|CCI-000172

CCI|CCI-001906

CCI|CCI-002702

Rule-ID|SV-207542r612253_rule

STIG-ID|BIND-9X-001021

STIG-Legacy|SV-87007

STIG-Legacy|V-72383

Vuln-ID|V-207542

BIND-9X-001030 - The print-severity variable for the configuration of BIND 9.x server logs must be configured to produce audit records containing information to establish what type of events occurred.

CCI|CCI-000130

Rule-ID|SV-207543r612253_rule

STIG-ID|BIND-9X-001030

STIG-Legacy|SV-87009

STIG-Legacy|V-72385

Vuln-ID|V-207543

BIND-9X-001031 - The print-time variable for the configuration of BIND 9.x server logs must be configured to establish when (date and time) the events occurred.

CCI|CCI-000131

Rule-ID|SV-207544r612253_rule

STIG-ID|BIND-9X-001031

STIG-Legacy|SV-87011

STIG-Legacy|V-72387

Vuln-ID|V-207544

BIND-9X-001032 - The print-category variable for the configuration of BIND 9.x server logs must be configured to record information indicating which process generated the events.

CCI|CCI-000132

Rule-ID|SV-207545r612253_rule

STIG-ID|BIND-9X-001032

STIG-Legacy|SV-87013

STIG-Legacy|V-72389

Vuln-ID|V-207545

BIND-9X-001040 - The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog - named syslog

Rule-ID|SV-207546r744225_rule

STIG-ID|BIND-9X-001040

STIG-Legacy|SV-87015

STIG-Legacy|V-72391

Vuln-ID|V-207546

BIND-9X-001040 - The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog - rsyslog/syslog

BIND-9X-001040 - The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog - syslog

BIND-9X-001041 - The BIND 9.x server implementation must be configured with a channel to send audit records to a local file.

Rule-ID|SV-207547r744227_rule

STIG-ID|BIND-9X-001041

STIG-Legacy|SV-87017

STIG-Legacy|V-72393

Vuln-ID|V-207547

BIND-9X-001042 - The BIND 9.x server implementation must maintain at least 3 file versions of the local log file.

Rule-ID|SV-207548r612253_rule

STIG-ID|BIND-9X-001042

STIG-Legacy|SV-87019

STIG-Legacy|V-72395

Vuln-ID|V-207548

BIND-9X-001050 - The BIND 9.x secondary name server must limit the number of zones requested from a single master name server.

800-53|AC-10

CCI|CCI-000054

Rule-ID|SV-207549r612253_rule

STIG-ID|BIND-9X-001050

STIG-Legacy|SV-87021

STIG-Legacy|V-72397

Vuln-ID|V-207549

BIND-9X-001051 - The BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time.

Rule-ID|SV-207550r612253_rule

STIG-ID|BIND-9X-001051

STIG-Legacy|SV-87023

STIG-Legacy|V-72399

Vuln-ID|V-207550

BIND-9X-001052 - The BIND 9.x server implementation must limit the number of concurrent session client connections to the number of allowed dynamic update clients.

Rule-ID|SV-207551r612253_rule

STIG-ID|BIND-9X-001052

STIG-Legacy|SV-87025

STIG-Legacy|V-72401

Vuln-ID|V-207551

BIND-9X-001053 - The BIND 9.x server implementation must be configured to use only approved ports and protocols.

800-53|CM-7b.

CCI|CCI-000382

Rule-ID|SV-207552r612253_rule

STIG-ID|BIND-9X-001053

STIG-Legacy|SV-87027

STIG-Legacy|V-72403

Vuln-ID|V-207552

BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - options allow-query

800-53|SC-5(2)

CCI|CCI-001095

Rule-ID|SV-207553r612253_rule

STIG-ID|BIND-9X-001054

STIG-Legacy|SV-87029

STIG-Legacy|V-72405

Vuln-ID|V-207553

BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - recursion

BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - zone allow-query

BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - allow-recursion

800-53|SC-5(1)

CCI|CCI-001094

Rule-ID|SV-207554r612253_rule

STIG-ID|BIND-9X-001055

STIG-Legacy|SV-87031

STIG-Legacy|V-72407

Vuln-ID|V-207554

BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - options allow-query

BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - recursion

BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - zone allow-query

BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - notify

Rule-ID|SV-207555r612253_rule

STIG-ID|BIND-9X-001057

STIG-Legacy|SV-87033

STIG-Legacy|V-72409

Vuln-ID|V-207555

BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone also-notify

BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone notify explicit

BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - options notify

Rule-ID|SV-207556r612253_rule

STIG-ID|BIND-9X-001058

STIG-Legacy|SV-87035

STIG-Legacy|V-72411

Vuln-ID|V-207556

BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - zone allow-notify

Detections

Analytics

DISA BIND 9.x STIG v2r2

Audit Details

File Details

Audit Changelog

Revision 1.4

Miscellaneous

Revision 1.3

Miscellaneous

Revision 1.2

Miscellaneous

Revision 1.1

Miscellaneous


Revision 1.4 Apr 12, 2023 Miscellaneous Metadata updated. Platform check updated. Variables updated.
Revision 1.3 Mar 7, 2023 Miscellaneous Metadata updated. References updated.
Revision 1.2 Dec 7, 2022 Miscellaneous Variables updated.
Revision 1.1 Apr 25, 2022 Miscellaneous References updated.

Detections

Analytics

DISA BIND 9.x STIG v2r2 Download File

Audit Details

File Details

Audit Changelog

Revision 1.4

Miscellaneous

Revision 1.3

Miscellaneous

Revision 1.2

Miscellaneous

Revision 1.1

Miscellaneous

DISA BIND 9.x STIG v2r2