Detections
Analytics
BIND-9X-002470 - The host running a BIND 9.x implementation must have DNS cookies enabled.
Information
DNS cookies can help prevent spoofing and cache poisoning attacks by verifying the identity of both the client and server. They do this by including a cryptographic identifier (the cookie) in DNS messages, which can be verified in future messages. This makes it difficult for an attacker to learn the cookie values and thus spoof them.Solution
Edit the named.conf file:options {
answer-cookie yes;
};
After making changes, save the named.conf file and restart the BIND service to apply the changes.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V3R1_STIG.zip
Item Details
Audit Name: DISA BIND 9.x STIG v3r1
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-275938r1123968_rule, STIG-ID|BIND-9X-002470, Vuln-ID|V-275938
Plugin: Unix
Control ID: ed7d07a245092f2724e0a362aa75673140eda201834b4a5b16066fa8ae5aab6a