7.1 Do Not Define a Static Source Port

Information

BIND can be configured to always use the same source port when communicating with other DNS servers. This capability is made possible through the query-source port option, and the query-source-v6 port option. It is recommended that the source port be omitted if the query-source option is used, or that the port be specified as a *, so that the port will not be a static port number.

Rationale:

DNS attacks which involve spoofing a bogus DNS reply may require the attacker to guess the source port number of the request, if the attacker is unable to see the initial DNS query. Making the source port static makes the attack easier, as it eliminates the effort of getting the correct destination port number for the spoofed reply. Instead of a static source port, the port number should be selected randomly from the client ephemeral ports.

Solution

Either remove the port specification from the query-source or the query-source-v6 option or use an * for the port number.

Default Value:

The default is to not use a static source port for queries.

See Also

https://workbench.cisecurity.org/files/2997

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9, CSCv7|9.2

Plugin: Unix

Control ID: 2546428d0592871876465c33c3ddea3d277927ccf72210840b1f2f23efc5548f