DISA BIND 9.x STIG v2r3

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA BIND 9.x STIG v2r3

Updated: 3/4/2026

Authority: DISA STIG

Plugin: Unix

Revision: 1.2

Estimated Item Count: 71

File Details

Filename: DISA_STIG_BIND_9_v2r3.audit

Size: 191 kB

MD5: 99590fcf70ecc2a587e38acd1f2e6e72

SHA256: da777d2fd32b0e09ee4bb1ae7cd5f198619bd36792978bb46a42dd5d86cbb688

Audit Items

Description	Categories
BIND-9X-000001 - A BIND 9.x server implementation must be running in a chroot(ed) directory structure.
BIND-9X-001000 - A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC.
BIND-9X-001002 - The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation.
BIND-9X-001003 - The BIND 9.x server software must run with restricted privileges.
BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface.
BIND-9X-001005 - The host running a BIND 9.x implementation must use a dedicated management interface in order to separate management traffic from DNS specific traffic.
BIND-9X-001006 - The host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic.
BIND-9X-001010 - A BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components, based on selectable event criteria, and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes.
BIND-9X-001017 - The BIND 9.x server implementation must not be configured with a channel to send audit records to null.
BIND-9X-001020 - The BIND 9.x server logging configuration must be configured to generate audit records for all DoD-defined auditable events to a local file by enabling triggers for all events with a severity of info, notice, warning, error, and critical for all DNS components.
BIND-9X-001021 - In the event of an error when validating the binding of other DNS servers identity to the BIND 9.x information, when anomalies in the operation of the signed zone transfers are discovered, for the success and failure of start and stop of the name server service or daemon, and for the success and failure of all name server events, a BIND 9.x server implementation must generate a log entry.
BIND-9X-001030 - The print-severity variable for the configuration of BIND 9.x server logs must be configured to produce audit records containing information to establish what type of events occurred.
BIND-9X-001031 - The print-time variable for the configuration of BIND 9.x server logs must be configured to establish when (date and time) the events occurred.
BIND-9X-001032 - The print-category variable for the configuration of BIND 9.x server logs must be configured to record information indicating which process generated the events.
BIND-9X-001040 - The BIND 9.x server implementation must be configured with a channel to send audit records to a remote syslog.
BIND-9X-001041 - The BIND 9.x server implementation must be configured with a channel to send audit records to a local file.
BIND-9X-001042 - The BIND 9.x server implementation must maintain at least 3 file versions of the local log file.
BIND-9X-001050 - The BIND 9.x secondary name server must limit the number of zones requested from a single master name server.
BIND-9X-001051 - The BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time.
BIND-9X-001052 - The BIND 9.x server implementation must limit the number of concurrent session client connections to the number of allowed dynamic update clients.
BIND-9X-001053 - The BIND 9.x server implementation must be configured to use only approved ports and protocols.
BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers.
BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated.
BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers.
BIND-9X-001059 - On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
BIND-9X-001060 - A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input.
BIND-9X-001070 - A BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers.
BIND-9X-001080 - A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.
BIND-9X-001100 - The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.
BIND-9X-001106 - The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.
BIND-9X-001110 - The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.
BIND-9X-001111 - The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.
BIND-9X-001112 - The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.
BIND-9X-001113 - The BIND 9.X implementation must not utilize a TSIG or DNSSEC key for more than one year.
BIND-9X-001120 - A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes.
BIND-9X-001130 - The DNSSEC keys used with the BIND 9.x implementation must be owned by a privileged account.
BIND-9X-001131 - The DNSSEC keys used with the BIND 9.x implementation must be group owned by a privileged account.
BIND-9X-001132 - Permissions assigned to the DNSSEC keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
BIND-9X-001133 - The BIND 9.x server private key corresponding to the ZSK pair must be the only DNSSEC key kept on a name server that supports dynamic updates.
BIND-9X-001134 - On the BIND 9.x server the private keys corresponding to both the ZSK and the KSK must not be kept on the BIND 9.x DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
BIND-9X-001140 - The two files generated by the BIND 9.x server dnssec-keygen program must be owned by the root account, or deleted, after they have been copied to the key file in the name server.
BIND-9X-001141 - The two files generated by the BIND 9.x server dnssec-keygen program must be group owned by the server administrator account, or deleted, after they have been copied to the key file in the name server.
BIND-9X-001142 - Permissions assigned to the dnssec-keygen keys used with the BIND 9.x implementation must enforce read-only access to the key owner and deny access to all other users.
BIND-9X-001150 - The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.
BIND-9X-001310 - A BIND 9.x server implementation must provide the means to indicate the security status of child zones.
BIND-9X-001311 - The BIND 9.x server validity period for the RRSIGs covering the DS RR for zones delegated children must be no less than two days and no more than one week.
BIND-9X-001320 - The core BIND 9.x server files must be owned by the root or BIND 9.x process account.
BIND-9X-001321 - The core BIND 9.x server files must be group owned by a group designated for DNS administration only.

Detections

Analytics

DISA BIND 9.x STIG v2r3

Warning! Audit Deprecated

Audit Details

File Details

Audit Items