BIND-9X-001230 - On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.

Information

Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers.

One set, called external name servers, can be located within a DMZ. These would be the only name servers that are accessible to external clients and would serve RRs pertaining to hosts with public services (web servers that serve external web pages or provide B2C services, mail servers, etc.).

The other set, called internal name servers, must be located within the firewall. They must be configured so they are not reachable from outside and therefore provide naming services exclusively to internal clients.

Solution

Edit the "named.conf" file.

Configure the internal view statement to limit use authorized internal hosts:

view "internal" {
match-clients { <ip_address> | <address_match_list>; };
};

Remove any IP address that is assigned to an external host from the internal view statement.

Restart the BIND 9.x process.

Item Details

Audit Name: DISA BIND 9.x STIG v3r1

Category: CONFIGURATION MANAGEMENT

Plugin: Unix

Control ID: 56359381f2f6bfe7c1c3fe131e7839272f17519bbc049f3ed4bcf8fe442ec621

Detections

Analytics

BIND-9X-001230 - On a BIND 9.x server in a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.

Information

Solution

See Also

Item Details