5.1 Securely Authenticate Zone Transfers

Information

A zone transfer is a mechanism commonly used by DNS deployments to replicate zone information from master/primary servers to slave/secondary servers. Each pair of name servers participating in zone transfers should authenticate the requests and ensure the integrity of the responses by using a unique shared secret TSIG key. BIND can be configured to respond only to authenticated transfer requests by using the allow-transfer statement with a key statement, that restricts the transfers to servers that provide a MAC using the named key.

Rationale:

A zone transfer is a popular information disclosure attack as it provides the entire list of resource records for a zone. There should be very few systems such as the slave name servers that should be authorized to perform a zone transfer for your domains. Authentication of transfer requests should not be made using only an IP address, since IP addresses can be spoofed, but rather by using TSIG keys.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Generate TSIG keys 256 bits in length, unique for each host-to-host communication. Securely Transfer the keys and configure the keys to be required in all allow-transfer statements.

Default Value:

If the allow-transfer statement is missing, then transfers are allowed to any host.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-20b., CSCv6|9.1

Plugin: Unix

Control ID: 4f7c0c88759d152b4b548fd9c1037f9f70017b224239359ff73dcc12cf6566bb