BIND-9X-001059 – On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port – listen-on

Details

Hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. Outgoing DNS messages should be sent from a random port to minimize the risk of an attacker’s guessing the outgoing message port and sending forged replies.

Solution

Edit the ‘named.conf’ file.

Configure the BIND 9.x server to only use the ‘port’ flag with the ‘listen-on’ and ‘listen-on-v6’ statements:

options {
listen-on port 53 { ; };
listen-on-v6 port 53 { ; };
};

Restart the BIND 9.x process.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BIND_9-x_V2R2_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

800-53|CM-6b.
CAT|III
CCI|CCI-000366
Rule-ID|SV-207557r612253_rule
STIG-ID|BIND-9X-001059
STIG-Legacy|SV-87043
STIG-Legacy|V-72419
Vuln-ID|V-207557

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles