The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface.
An XCCDF Rule
Description
<VulnDiscussion>Configuring hosts that run a BIND 9.X implementation to only accept DNS traffic on a DNS interface allows a system firewall to be configured to limit the allowed incoming ports/protocols to 53/tcp and 53/udp. Sending outgoing DNS messages from a random port minimizes the risk of an attacker guessing the outgoing message port and sending forged replies. The TCP/IP stack in DNS hosts (stub resolver, caching/resolving/recursive name server, authoritative name server, etc.) could be subjected to packet flooding attacks (such as SYNC and smurf), resulting in disruption of communication. By implementing a specific set of firewall rules that limit accepted traffic to the interface, these risk of packet flooding and other TCP/IP based attacks is reduced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-207536r612253_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the OS firewall to only allow incoming DNS traffic on ports 53/tcp and 53/udp.
Add the following rules to the host firewall rule set:
# iptables -A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT
# iptables -A INPUT -i [DNS Interface] -j DROP