Dedicated Name Server Role
Details A name server may be an authoritative name server for one or more domains for which it is configured...
- Home
- Security Hardening
- CIS Bind DNS V3.0.1 Caching Only Name Server
CIS Bind DNS V3.0.1 Caching Only Name Server
Disable the dnssec-accept-expired Option
Details The dnssec-accept-expired option allows BIND to accept expired signatures during validation. The option should be disabled so that expired...Do Not Define a Static Source Port
Details BIND can be configured to always use the same source port when communicating with other DNS servers. This capability...Do Not Install a Multi-Use System – chkconfig
Details Default server configurations often expose a wide variety of services unnecessarily increasing the risk to the system. Just because...Do Not Install a Multi-Use System – systemctl
Details Default server configurations often expose a wide variety of services unnecessarily increasing the risk to the system. Just because...Enable DNSSEC Validation – dnssec-enable
Details DNS Security Extensions or DNSSEC for short provides authentication of the name servers through public key cryptography. With DNSSEC,...Enable DNSSEC Validation – dnssec-validation
Details DNS Security Extensions or DNSSEC for short provides authentication of the name servers through public key cryptography. With DNSSEC,...Give the BIND User Account an Invalid Shell
Details The BIND user account, named by default, must not be used as a regular login account, and should be...Hide BIND Version String
Details BIND includes a built-in zone, version.bind which may be queried to get the version of the name server. The...Hide Nameserver ID
Details The server-id option provides a server identifier that will be returned in response to an NSID query. An NSID...