3.3 Restrict Query Origins

Information

BIND can be configured to restrict access to its query services based on source IP address. It is recommended that the allow-query option be used to restrict access to only the networks authorized to use the name server. For an external authoritative only name server, the authorized networks may include all networks, however for internal authoritative or caching name servers the authorized networks should be explicitly configured.

Rationale:

Using allow-query in conjunction with an ACL of trusted networks will reduce the risk of unauthorized access to name services content. Additionally, the exposure of vulnerabilities present in BIND's query handlers is reduced by this configuration as requests with an untrusted source will be rejected before the request is fully parsed by named. Keep in mind however, that the source IP addresses can be easily spoofed, and the firewall and network architecture also needs to protect internal name servers from external spoofed requests.

Solution

For remediation:

- Create an ACL for the authorized trusted networks in the named.conf file.
acl authorized_networks { 10.10.32.0/24; 10.10.34.0/24; . . . };

- Add the allow-query statement to the global options of the named.conf file with the localhost ACL and the authorized trusted networks ACL.
allow-query { localhost; authorized_networks };

Default Value:

The default package install allows queries only from localhost.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-20, CSCv6|9

Plugin: Unix

Control ID: 12a7fe005b2304aa5e1fad8a7197dd6c339031876f5e487f36decabd4008d4f7