Detections
Analytics
BIND-9X-002450 - The BIND 9.x server implementation must have fetches-per-zone enabled.
Information
The fetches-per-zone option in BIND 9.x is a configuration parameter that controls the maximum number of simultaneous iterative queries a recursive resolver can send to a single authoritative server for a specific domain. This helps protect authoritative servers from being overwhelmed by queries, especially during a denial-of-service (DoS) attack.Solution
Modify the BIND configuration file (/etc/named.conf ).Add the fetches-per-zone option to the options section of the configuration file:
fetches-per-zone <integer> drop;
After making changes, reload or restart BIND to apply the new settings.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V3R1_STIG.zip
Item Details
Audit Name: DISA BIND 9.x STIG v3r1
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-275936r1124069_rule, STIG-ID|BIND-9X-002450, Vuln-ID|V-275936
Plugin: Unix
Control ID: 16fa8bcc9f19aada5035f5ef3d961e534039d38883823402bc351548f536fd31