BIND 9.x Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516-DNS-000078
<GroupDescription></GroupDescription>Group -
A BIND 9.x server validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
<VulnDiscussion>The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs...Rule Medium Severity -
SRG-APP-000516-DNS-000084
<GroupDescription></GroupDescription>Group -
A BIND 9.x server NSEC3 must be used for all internal DNS zones.
<VulnDiscussion>To ensure that RRs associated with a query are really missing in a zone file and have not been removed in transit, the DNSSEC...Rule Medium Severity -
SRG-APP-000516-DNS-000085
<GroupDescription></GroupDescription>Group -
Every NS record in a zone file on a BIND 9.x server must point to an active name server and that name server must be authoritative for the domain specified in that record.
<VulnDiscussion>Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to p...Rule Medium Severity -
SRG-APP-000516-DNS-000087
<GroupDescription></GroupDescription>Group -
On a BIND 9.x server all authoritative name servers for a zone must be located on different network segments.
<VulnDiscussion>Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential tha...Rule Medium Severity -
SRG-APP-000516-DNS-000088
<GroupDescription></GroupDescription>Group -
On a BIND 9.x server all authoritative name servers for a zone must have the same version of zone information.
<VulnDiscussion>It is important to maintain the integrity of a zone file. The serial number of the SOA record is used to indicate to secondar...Rule Medium Severity -
SRG-APP-000516-DNS-000102
<GroupDescription></GroupDescription>Group -
On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.
<VulnDiscussion>All caching name servers must be authoritative for the root zone because, without this starting point, they would have no kno...Rule Low Severity -
SRG-APP-000516-DNS-000102
<GroupDescription></GroupDescription>Group -
On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.
<VulnDiscussion>A potential vulnerability of DNS is that an attacker can poison a name servers cache by sending queries that will cause the s...Rule Low Severity -
SRG-APP-000516-DNS-000113
<GroupDescription></GroupDescription>Group -
On the BIND 9.x server a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.
<VulnDiscussion>If a name server were able to claim authority for a resource record in a domain for which it was not authoritative, this woul...Rule Medium Severity -
SRG-APP-000516-DNS-000114
<GroupDescription></GroupDescription>Group -
On the BIND 9.x server CNAME records must not point to a zone with lesser security for more than six months.
<VulnDiscussion>The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration)...Rule Low Severity -
SRG-APP-000516-DNS-000500
<GroupDescription></GroupDescription>Group -
The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. Government.
<VulnDiscussion>If remote servers to which DoD DNS servers send queries are controlled by entities outside of the U.S. Government the possibi...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.