3.1 Ignore Erroneous or Unwanted Queries - RFC 1918 172.16/12; addresses

Information

BIND can be configured to ignore requests originating from specified network segments. This is accomplished by implementing the blackhole option in named.conf. It is recommended that this feature be implemented to ignore requests that originate outside of expected network segments.

Rationale:

By ignoring traffic that originates from unexpected networks, the server's exposure to malicious entities is reduced.

Solution

Add a blackhole option for multicast and link local addresses, and all private RFC 1918 addresses that are not being used.

blackhole {
// Private RFC 1918 addresses
10/8; 192.168/16; 172.16/12;
// Multicast
224/8;
// Link Local
169.254/16;
};

Default Value:

No networks are blackhole'd by default.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9

Plugin: Unix

Control ID: 02ca0448eb7cca1321e8d94eac57b6dddb9e8e226357a689aa9980cb5d3e351b