3.4 Restrict Queries of the Cache - Authoritative Only

Information

The BIND option allow-query-cache may be used to restrict or allow BIND to provide answers to queries from the current cache of previously resolved queries. An authoritative only name server should not allow cache queries, except from the localhost, A caching only name server should allow cache queries only from the list of authorized networks.

Rationale:

Caching only name servers are critical to the security of all of the clients and servers using them, only the local authorized networks should be allowed to perform queries of the server's cache. In addition to malicious malformed queries, an attacker could use information about what is or is not in the name servers cache to help setup a DNS attack against the systems using the caching name server.

Solution

Authoritative Only Name Server:

For an authoritative name, insert the following either into the global options or into every zone section.

allow-query-cache { localhost; };

Caching Only Name Server:

Use the previously defined an ACL named trusted_clients which will identify the networks which are expected to use the DNS caching server, and will be allowed to send DNS cache queries.

allow-query-cache { localhost; trusted_clients };

Default Value:

If the allow-query-cache option is not present in the configuration, the default value is the allow-recursion setting. If the allow-recursion setting is not present, then the allow-query setting is used, unless recursion is set to no. If recursion is set to no, then the default value is none. Otherwise, if allow-query is also not present then the default value is localnets and localhost.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-20, CSCv6|9

Plugin: Unix

Control ID: fb1d7f922fdc961f99b61076a0c16052a7622949438bb7ada95e008e7a933552