BIND-9X-001100 - The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit - allow-transfer none

Information

Server-to-server (zone transfer) transactions are provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG), thus uniquely identifying the other server. DNS does perform server authentication when TSIG is used, but this authentication is transactional in nature (each transaction has its own authentication performed).

Enforcing mutually authenticated communication sessions during zone transfers provides the assurance that only authorized servers are requesting and receiving DNS zone data. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

Failure to properly implement transactional security may have significant effects on the overall security of the DNS infrastructure. The lack of mutual authentication between name servers during a DNS transaction would allow a threat actor to launch a Man-In-The-Middle attack against the DNS infrastructure. This attack could lead to unauthorized DNS zone data being introduced, resulting in network traffic being redirected to a rogue site.

Satisfies: SRG-APP-000158-DNS-000015, SRG-APP-000390-DNS-000048, SRG-APP-000394-DNS-000049, SRG-APP-000395-DNS-000050, SRG-APP-000439-DNS-000063, SRG-APP-000440-DNS-000065

Solution

Configure the BIND 9.x server to use TSIG keys.

Add a key statement to the 'named.conf' file for TSIG that is being used:

key tsig_example. {
algorithm hmac-SHA1;
include 'tsig-example.key';
};

Add key statements to the allow-transfer statements on a master name server:

allow-transfer { key tsig_example.; };

Add key statements to the server statements on a secondary name server:

server <ip_address> {
keys { tsig_example };
};

Restart the BIND 9.x process.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V2R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-3, 800-53|IA-3(1), 800-53|IA-11, 800-53|SC-8, 800-53|SC-8(1), CAT|I, CCI|CCI-000778, CCI|CCI-001958, CCI|CCI-001967, CCI|CCI-002039, CCI|CCI-002418, CCI|CCI-002421, Rule-ID|SV-207561r612253_rule, STIG-ID|BIND-9X-001100, STIG-Legacy|SV-87053, STIG-Legacy|V-72429, Vuln-ID|V-207561

Plugin: Unix

Control ID: 15bc261e6ecb4fdff2b0e465f98b6b6ddf38285884be1ed9efd9a43586b413d6