BIND-9X-001006 - The host running a BIND 9.x implementation must use an interface that is configured to process only DNS traffic.

Information

Configuring hosts that run a BIND 9.X implementation to only accept DNS traffic on a DNS interface allows a system to be configured to segregate DNS traffic from all other host traffic.

The TCP/IP stack in DNS hosts (stub resolver, caching/resolving/recursive name server, authoritative name server, etc.) could be subjected to packet flooding attacks (such as SYNC and smurf), resulting in disruption of communication.

The use of a dedicated interface for DNS traffic allows for these threats to be mitigated by creating a means to limit what types of traffic can be processed using a host based firewall solution.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

On the host machine, configure an interface to only process DNS traffic.

Restart the host machine.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V2R2_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-207538r612253_rule, STIG-ID|BIND-9X-001006, STIG-Legacy|SV-86999, STIG-Legacy|V-72375, Vuln-ID|V-207538

Plugin: Unix

Control ID: dc6894ca4a01bc4c7c7d15b3071291ca05b2119f0e7e12c4d192254acf0377ca