On the BIND 9.x server a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.
An XCCDF Rule
Description
<VulnDiscussion>If a name server were able to claim authority for a resource record in a domain for which it was not authoritative, this would pose a security risk. In this environment, an adversary could use illicit control of a name server to impact IP address resolution beyond the scope of that name server (i.e., by claiming authority for records outside of that server's zones). Fortunately, all but the oldest versions of BIND and most other DNS implementations do not allow for this behavior. Nevertheless, the best way to eliminate this risk is to eliminate from the zone files any records for hosts in another zone.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-207599r879887_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
In the case of third-party CDNs or cloud offerings, document the mission need with the AO.
Edit the zone file.
Remove any record that points to a different zone, with the exception of approved CDNs or cloud offerings.