Detections
Analytics
BIND-9X-001390 - The primary servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated.
Information
It is important to maintain the integrity of a zone file. The serial number of the SOA record is used to indicate to secondary name server that a change to the zone has occurred and a zone transfer should be performed. The serial number used in the SOA record provides the DNS administrator a method to verify the integrity of the zone file based on the serial number of the last update and ensure that all secondary servers are using the correct zone file.When a primary name server notices that the serial number of a zone has changed, it sends a special announcement to all of the secondary name servers for that zone. The primary name server determines which servers are the secondaries for the zone by looking at the list of NS records in the zone and taking out the record that points to the name server listed in the MNAME field of the zone's SOA record as well as the domain name of the local host.
When a secondary name server receives a NOTIFY announcement for a zone from one of its configured primary name servers, it responds with a NOTIFY response. The response tells the primary that the secondary received the NOTIFY announcement so that the primary can stop sending it NOTIFY announcements for the zone. Then the secondary proceeds just as if the refresh timer for that zone had expired: it queries the primary name server for the SOA record for the zone that the primary claims has changed. If the serial number is higher, the secondary transfers the zone.
The secondary should issue its own NOTIFY announcements to the other authoritative name servers for the zone. The idea is that the primary may not be able to notify all of the secondary name servers for the zone itself, since it is possible some secondaries cannot communicate directly with the primary (they use another secondary as their primary). Older BIND 8 secondaries do not send NOTIFY messages unless explicitly configured to do so.
Solution
Edit the 'named.conf' file.Configure the 'notify' sub-statement in the 'options' statement block to 'no':
options {
notify no;
};
Configure the 'notify explicit' and 'also-notify' sub-statements in the zone statement block to limit zone transfer notifications to authorized secondary name servers:
zone example.com {
notify explicit;
also-notify { <ip_address>; | <address_match_list>; };
Restart the BIND 9.x process.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V3R1_STIG.zip
Item Details
Audit Name: DISA BIND 9.x STIG v3r1
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-272395r1124052_rule, STIG-ID|BIND-9X-001390, Vuln-ID|V-272395
Plugin: Unix
Control ID: 9971f522f9d6c4fb59579ca2d012294e0a974cebb497ab4b24be69b3cfa0399e