Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the directory structure where the primary BIND 9.x Server configuration files are stored is running in a chroot(ed) environment: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot If the output does not contain "-t <chroot_path>", this is a finding.
Configure the BIND 9.x server to operate in a chroot(ed) directory structure.
Verify that the BIND 9.x server is at a version that is considered "Current-Stable" by ISC or latest supported version of BIND when BIND is installed as part of a specific vendor implementation where the vendor maintains the BIND patches. # named -v The above command should produce a version number similar to the following: BIND 9.9.4-RedHat-9.9.4-29.el7_2.3 If the server is running a version that is not listed as "Current-Stable" by ISC, this is a finding.
Update the BIND 9.x server to a version that is listed as “Current-Stable” by ISC or latest supported version of BIND when BIND is installed as part of a specific vendor implementation where the vendor maintains the BIND patches.
Verify that the BIND 9.x server is dedicated for DNS traffic: With the assistance of the DNS administrator, identify all of the processes running on the BIND 9.x server: # ps -ef | less If any of the identified processes are not in support of normal OS functionality or in support of the BIND 9.x process, this is a finding.
Disable or uninstall all non-DNS related applications from the BIND 9.x server.
Verify the BIND 9.x process is not running as root: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot If the output shows "/usr/sbin/named -u root", this is a finding.
Configure the BIND 9.x process to run as a non-privileged user. Restart the BIND 9.x process.
With the assistance of the DNS administrator, verify that the OS firewall is configured to only allow incoming messages on ports 53/tcp and 53/udp. Note: The following rules are for the IPTables firewall. If the system is utilizing a different firewall, the rules may be different. Inspect the hosts firewall rules for the following rules: -A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT -A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT -A INPUT -i [DNS Interface] -j DROP If any of the above rules do not exist, this is a finding. If there are rules listed that allow traffic on ports other than 53/tcp and 53/udp, this is a finding.
Configure the OS firewall to only allow incoming DNS traffic on ports 53/tcp and 53/udp. Add the following rules to the host firewall rule set: # iptables -A INPUT -i [DNS Interface] -p tcp --dport 53 -j ACCEPT # iptables -A INPUT -i [DNS Interface] -p udp --dport 53 -j ACCEPT # iptables -A INPUT -i [DNS Interface] -j DROP Note: If the system is not using an IPTables firewall, the appropriate firewall rules that limit traffic to ports 53/tcp and 53/udp should be configured on the active firewall.
Verify that the BIND 9.x server is configured to use a dedicated management interface: # ifconfig -a eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.1.252 netmask 255.255.255.0 broadcast 10.0.1.255 inet6 fd80::21c:d8ff:fab7:1dba prefixlen 64 scopeid 0x20<link> ether 00:1a:b8:d7:1a:bf txqueuelen 1000 (Ethernet) RX packets 2295379 bytes 220126493 (209.9 MiB) RX errors 0 dropped 31 overruns 0 frame 0 TX packets 70507 bytes 12284940 (11.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1458 inet 10.0.0.5 netmask 255.255.255.0 broadcast 10.0.0.255 inet6 fe81::21c:a8bf:fad7:1dca prefixlen 64 scopeid 0x20<link> ether 00:1d:d8:b5:1c:dd txqueuelen 1000 (Ethernet) RX packets 39090 bytes 4196802 (4.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 93250 bytes 18614094 (17.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 If one of the interfaces listed is not dedicated to only process management traffic, this is a finding.
On the host machine, configure an interface that is dedicated to management traffic. Restart the host machine.
Verify that the BIND 9.x server is configured to use an interface that is configured to process only DNS traffic. # ifconfig -a eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.1.252 netmask 255.255.255.0 broadcast 10.0.1.255 inet6 fd80::21c:d8ff:fab7:1dba prefixlen 64 scopeid 0x20<link> ether 00:1a:b8:d7:1a:bf txqueuelen 1000 (Ethernet) RX packets 2295379 bytes 220126493 (209.9 MiB) RX errors 0 dropped 31 overruns 0 frame 0 TX packets 70507 bytes 12284940 (11.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1458 inet 10.0.0.5 netmask 255.255.255.0 broadcast 10.0.0.255 inet6 fe81::21c:a8bf:fad7:1dca prefixlen 64 scopeid 0x20<link> ether 00:1d:d8:b5:1c:dd txqueuelen 1000 (Ethernet) RX packets 39090 bytes 4196802 (4.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 93250 bytes 18614094 (17.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 If one of the interfaces listed is not dedicated to only process DNS traffic, this is a finding.
On the host machine, configure an interface to only process DNS traffic. Restart the host machine.
Verify the name server is configured to generate audit records: Inspect the "named.conf" file for the following: logging { channel channel_name { severity info; }; category default { channel_name; }; }; If there is no "logging" statement, this is a finding. If the "logging" statement does not contain a "channel", this is a finding. If the "logging" statement does not contain a "category" that utilizes a "channel", this is a finding.
Configure the logging statement in the "named.conf" file: logging { channel <channel_name> { file "<file_name>"; severity info; }; category default { <channel_name>; }; }; Replace <channel_name> and <file_name> with names that distinctively identify the purpose of the channel and the log file. Restart the BIND 9.x process.
Verify that the BIND 9.x server is not configured to send audit logs to the null channel. Inspect the "named.conf" file for the following: category null { null; } If there is a category defined to send audit logs to the "null" channel, this is a finding.
Edit the "named.conf" file. Remove any instance of the following: category null { null; }; Restart the BIND 9.x process.
Verify the name server is configured to generate all DoD-defined audit records. Inspect the "named.conf" file for the following: logging { channel channel_name { severity info; }; }; If a channel is not configured to log messages with the severity of info and higher, this is a finding. Note: "info" is the lowest severity level and will automatically log all messages with a severity of "info" or higher.
Edit the "named.conf" file. Add the "severity" sub statement to the "channel" statement. Configure the "severity" sub statement to "info" Restart the BIND 9.x process.
Verify the name server is configured to log error messages with a severity of “info”: Inspect the "named.conf" file for the following: logging { channel channel_name { severity info; }; If the "severity" sub statement is not set to "info", this is a finding. Note: Setting the "severity" sub statement to "info" will log all messages for the following severity levels: Critical, Error, Warning, Notice, and Info.
Edit the "named.conf" file. Add the "severity" sub statement to the "channel" statement. Configure the "severity" sub statement to "info" Restart the BIND 9.x process.
For each logging channel that is defined, verify that the "print-severity" sub statement is listed: Inspect the "named.conf" file for the following: logging { channel channel_name { print-severity yes; }; }; If the "print-severity" statement is missing, this is a finding. If the "print-severity" statement is not set to "yes", this is a finding.
Edit the "named.conf" file. Add the "print-severity" sub statement to the "channel" statement. Configure the "print-severity" sub statement to "yes" Restart the BIND 9.x process.
For each logging channel that is defined, verify that the "print-time" sub statement is listed. Inspect the "named.conf" file for the following: logging { channel channel_name { print-time yes; }; }; If the "print-time" statement is missing, this is a finding. If the "print-time" statement is not set to "yes", this is a finding.
Edit the "named.conf" file. Add the "print-time" sub statement to the "channel" statement. Configure the "print-time" sub statement to "yes" Restart the BIND 9.x process.
For each logging channel that is defined, verify that the "print-category" sub statement is listed. Inspect the "named.conf" file for the following: logging { channel channel_name { print-category yes; }; }; If the "print-category" statement is missing, this is a finding. If the "print-category" statement is not set to "yes", this is a finding.
Edit the "named.conf" file. Add the "print-category" sub statement to the "channel" statement. Configure the "print-category" sub statement to "yes" Restart the BIND 9.x process.
Verify that the BIND 9.x server is configured to send audit logs to the syslog service. NOTE: syslog and local file channel must be defined for every defined category. Inspect the "named.conf" file for the following: logging { channel <syslog_channel> { syslog <syslog_facility>; }; category <category_name> { <syslog_channel>; }; If a logging channel is not defined for syslog, this is a finding. If a category is not defined to send messages to the syslog channel, this is a finding. Ensure audit records are forwarded to a remote server: # grep "\*.\*" /etc/syslog.conf |grep "@" | grep -v "^#" (for syslog) or: # grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#" (for rsyslog) If neither of these lines exist, this is a finding.
Configure the "logging" statement to send audit logs to the syslog daemon. logging { channel <syslog_channel> { syslog <syslog_facility>; }; category <category_name> { <syslog_channel>; }; }; Note: It is recommended to use a local syslog facility (i.e. local0 -7) when configuring the syslog channel. Restart the BIND 9.x process. Configure the (r)syslog daemon to send audit logs to a remote server.
Verify that the BIND 9.x server is configured to send audit logs to a local log file. NOTE: syslog and local file channel must be defined for every defined category. Inspect the "named.conf" file for the following: logging { channel local_file_channel { file "path_name" versions 3; print-time yes; print-severity yes; print-category yes; }; category category_name { local_file_channel; }; If a logging channel is not defined for a local file, this is a finding. If a category is not defined to send messages to the local file channel, this is a finding.
Edit the "named.conf" file and add the following: logging { channel local_file_channel { file "path_name" versions 3; print-time yes; print-severity yes; print-category yes; }; category category_name { local_file_channel; }; }; Restart the BIND 9.x process.
Verify that the BIND 9.x server is configured to retain at least 3 versions of the local log file. Inspect the "named.conf" file for the following: logging { channel local_file_channel { file "path_name" versions 3; }; If the "versions" variable is not defined, this is a finding. If the "versions" variable is configured to retain less than 3 versions of the local log file, this is a finding.
Edit the "named.conf" file. Add the "versions" variable to the end of the "file" sub statement in the channel statement. Configure the "versions" sub statement to a number that is greater or equal to 3. Restart the BIND 9.x process.
If this is not a secondary name server, this requirement is Not Applicable. Verify that the secondary name server is configured to limit the number of zones requested from a single master name server. Inspect the "named.conf" file for the following: options { transfers-per-ns 2; }; If the "options" statement does not contain a "transfers-per-ns" sub statement, this is a finding.
Edit the "named.conf" file. Add the "transfers-per-ns" sub statement to the "options" statement block. The value of the "transfers-per-ns" option can be increased to a value greater than two based on organizational requirements needed to support DNS operations. Restart the BIND 9.x process.
If this is not a secondary name server, this requirement is Not Applicable. Verify the name server is configured to limit the total number of zones that can be requested at one time: Inspect the "named.conf" file for the following: options { transfers-in 10; }; If the "options" statement does not contain a "transfers-in" sub statement, this is a finding.
Edit the "named.conf" file. Add the "transfers-in" sub statement to the "options" statement block. The value of the "transfers-in" will be based on organizational requirements needed to support DNS operations. Restart the BIND 9.x process.
Verify the name server is configured to limit the number of concurrent client connections to the number of allowed dynamic update clients: Inspect the "named.conf" file for the following: options { transfers-out 10; }; If the "options" statement does not contain a "transfers-out" sub statement, this is a finding.
Edit the "named.conf" file. Add the "transfers-out" sub statement to the "options" statement block. The value of the "transfers-out" will be based on organizational requirements needed to support DNS operations. Restart the BIND 9.x process.
Verify the BIND 9.x server is configured to listen on UDP/TCP port 53. Inspect the "named.conf" file for the following: options { listen-on port 53 { <ip_address>; }; }; If the "port" variable is missing, this is a finding. If the "port" variable is not set to "53", this is a finding. Note: "<ip_address>" should be replaced with the DNS server IP address.
Edit the "named.conf" file. Add the following line to the "options" statement: listen-on port 53 { <ip_address>; }; Replace "<ip_address>" with the IP of the name server. Restart the BIND 9.x process.
If this is a recursive name server, this is not applicable. Note: A recursive name server should NOT be configured as an authoritative name server for any zone. Verify that the BIND 9.x server is configured to prohibit recursion on authoritative name servers. Inspect the "named.conf" file for the following: options { recursion no; allow-query {none;}; }; If the "recursion" sub statement is missing, or set to "yes", this is a finding. If the "allow-query" sub statement under the "options statement" is not set to "none", this is a finding. Verify that an "allow-query" sub statement under each zone statement is configured to authorized hosts: zone "example.com" { type master; file "db.example.com"; allow-query { (address_match_list | <ip_address>) }; }; If the "allow-query" sub statement under each zone statement is not restricted to authorized hosts, this is a finding.
Configure the authoritative name server to prohibit recursion. Edit the "named.conf" file and add the following sub statements to the options statement: recursion no; allow-query { none }; Configure each zone to limit queries to authorized hosts: Edit the "named.conf" file and add the following sub statement to each zone definition: allow-query { address_match_list; }; Restart the BIND 9.x process
If this is a recursive name server, this is not applicable. Note: A recursive name server should NOT be configured as an authoritative name server for any zone. Verify that the BIND 9.x server is configured to prohibit recursion on authoritative name servers. Inspect the "named.conf" file for the following: options { recursion no; allow-recursion {none;}; allow-query {none;}; }; If the "recursion" sub statement is missing, or set to "yes", this is a finding. If the “allow-recursion” sub statement is missing or is not set to “none”, this is a finding. If the "allow-query" sub statement under the "options statement" is missing or is not set to "none", this is a finding. Verify that an "allow-query" sub statement under each zone statement is configured to authorized hosts: zone "example.com" { type master; file "db.example.com"; allow-query { (address_match_list | <ip_address>) }; }; If the "allow-query" sub statement under each zone statement is not restricted to authorized hosts, this is a finding.
Configure the authoritative name server to prohibit recursion. Edit the "named.conf" file and add the following sub statements to the options statement: recursion no; allow-recursion {none;}; allow-query { none }; Configure each zone to limit queries to authorized hosts: Edit the "named.conf" file and add the following sub statement to each zone definition: allow-query { address_match_list; }; Restart the BIND 9.x process
If this is a secondary name server, this is Not Applicable. On a master name server, verify that the global notify is disabled. The global entry for the name server is under the “Options” section and notify should be disabled at this section. Inspect the "named.conf" file for the following: options { notify no; }; If the "notify" statement is missing, this is a finding. If the "notify" statement is set to "yes", this is a finding. Verify that each zone is configured to notify authorized secondary name servers when a zone file has been updated. Each zone has its own Zone section. Inspect the "named.conf" file for the following: zone example.com { notify explicit; also-notify { <ip_address>; | <address_match_list>; }; If an "address match list" is used, verify that each ip address listed is an authorized secondary name server for that zone. If the “notify explicit” statement is missing, this is a finding. If the "also-notify" statement is missing, this is a finding. If the "also-notify" statement is configured to notify name servers that are not authorized for that zone, this is a finding.
Edit the "named.conf" file. Configure the "notify" sub statement in the "options" statement block to "no": options { notify no; }; Configure the “notify explicit” and "also-notify" sub statements in the zone statement block to limit zone transfer notifications to authorized secondary name servers: zone example.com { notify explicit; also-notify { <ip_address>; | <address_match_list>; }; Restart the BIND 9.x process
If this is a master name server, this is Not Applicable. On a secondary name server, verify that the global notify is disabled. The global entry for the name server is under the “Options” section and notify should be disabled at this section. Inspect the "named.conf" file for the following: options { notify no; }; If the "notify" statement is missing, this is a finding. If the "notify" statement is set to "yes", this is a finding. Verify that zones for which the secondary server is authoritative is configured to notify other authorized secondary name servers when a zone file update has been received from the master name server for the zone. Each zone has its own Zone section. Inspect the "named.conf" file for the following: zone example.com { notify explicit; also-notify { <ip_address>; | <address_match_list>; }; If an "address match list" is used, verify that each ip address listed is an authorized secondary name server for that zone. If the “notify explicit” statement is missing, this is a finding. If the "also-notify" statement is missing, this is a finding. If the "also-notify" statement is configured to notify name servers that are not authorized for that zone, this is a finding.
Edit the "named.conf" file. Configure the "notify" sub statement in the "options" statement block to "no": options { notify no; }; Configure the “notify explicit” and "also-notify" sub statements in the zone statement block to limit zone transfer notifications to authorized secondary name servers: zone example.com { notify explicit; also-notify { <ip_address>; | <address_match_list>; }; Restart the BIND 9.x process.
Verify that the BIND 9.x server does not limit outgoing DNS messages to a specific port. Inspect the "named.conf" file for the any instance of the "port" flag: options { listen-on port 53 { <ip_address>; }; listen-on-v6 port 53 { <ip_v6_address>; }; }; If any "port" flag is found outside of the "listen-on" or "listen-on-v6" statements, this is a finding.
Edit the "named.conf" file. Configure the BIND 9.x server to only use the "port" flag with the "listen-on" and "listen-on-v6" statements: options { listen-on port 53 { <ip_address>; }; listen-on-v6 port 53 { <ip_v6_address>; }; }; Restart the BIND 9.x process.
If the server is not a caching name server, this is Not Applicable. If the server is in a classified network, this is Not Applicable. If the caching name server is only forwarding to the DISA ERS for query resolution and is not authoritative for any zones, DNSSEC awareness is not required since the ERS is validating. Verify the server is configured to use DNSSEC validation for all DNS queries. Inspect the "named.conf" file for the following: options { dnssec-validation yes; dnssec-enable yes; (this requirement is enforced with BIND-9X-001200. }; managed-keys { "." initial-key 257 3 8 "<root-trust-anchor-data>"; }; If "dnssec-enable" is not set to "yes" or is missing, this is a finding. If "dnssec-validation" is not set to "yes" or is missing, this is a finding. If the "managed-keys" statement is missing, this is a finding. Note: The <root-trust-anchor-data> should be replaced with the actual trust anchor.
Enable DNSSEC validation on the name server. Set the "dnssec-validation" sub statement in the global options block to "yes". Set the “dnssec-enable” to “yes”. Configure the "managed-keys" statement to use the root domains trust anchor. Restart the BIND 9.x process.
If this is not a master name server, this requirement is Not Applicable Verify that the name server is configured to limit the number of zone transfers from authorized secondary name servers. Inspect the "named.conf" file for the following: server <ip_address> { transfers 2; }; If each "server" statement does not contain a "transfers" sub statement, this is a finding.
Edit the "named.conf" file. Add the "transfers" sub statement to each "server" statement block. The value of the "transfers" option can be increased to a value greater than two based on organizational requirements needed to support DNS operations. Restart the BIND 9.x process.
This check is only applicable to caching name servers. Verify the allow-query and allow-recursion phrases are properly configured. Inspect the "named.conf" file for the following: allow-query {trustworthy_hosts;}; allow-recursion {trustworthy_hosts;}; The name of the ACL does not need to be "trustworthy_hosts" but the name should match the ACL name defined earlier in "named.conf" for this purpose. If not, this is a finding. Verify non-internal IP addresses do not appear in either the referenced ACL (e.g., trustworthy_hosts) or directly in the statements themselves. If non-internal IP addresses appear, this is a finding.
Configure the caching name server to accept recursive queries only from the IP addresses and address ranges of known supported clients. Edit the "named.conf" file and add the following to the options statement: allow-query {trustworthy_hosts;}; allow-recursion {trustworthy_hosts;}; Restart the BIND 9.x process
If zone transfers are disabled with the "allow-transfer { none; };" directive, this is Not Applicable. If the server is in a classified network, this is Not Applicable. Verify that the BIND 9.x server is configured to uniquely identify a name server before responding to a zone transfer. Inspect the "named.conf" file for the presence of TSIG key statements: On the master name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA1; include "tsig-example.key"; }; zone "disa.mil" { type master; file "db.disa.mil"; allow-transfer { key tsig_example.; }; }; On the slave name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA1; include "tsig-example.key"; }; server <ip_address> { keys { tsig_example }; }; zone "disa.mil" { type slave; masters { <ip_address>; }; file "db.disa.mil"; }; If a master name server does not have a key defined in the “allow-transfer” block, this is a finding. If a secondary name server does not have a server statement that contains a "keys" sub statement, this is a finding.
Configure the BIND 9.x server to use TSIG keys. Add a key statement to the "named.conf" file for TSIG that is being used: key tsig_example. { algorithm hmac-SHA1; include "tsig-example.key"; }; Add key statements to the allow-transfer statements on a master name server: allow-transfer { key tsig_example.; }; Add key statements to the server statements on a secondary name server: server <ip_address> { keys { tsig_example }; }; Restart the BIND 9.x process.
Verify that the BIND 9.x server is configured to utilize separate TSIG key-pairs when securing server-to-server transactions. Inspect the "named.conf" file for the presence of TSIG key statements: On the master name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA1; include "tsig-example.key"; }; zone "disa.mil" { type master; file "db.disa.mil"; allow-transfer { key tsig_example.; }; }; On the slave name server, this is an example of a configured key statement: key tsig_example. { algorithm hmac-SHA1; include "tsig-example.key"; }; server <ip_address> { keys { tsig_example }; }; zone "disa.mil" { type slave; masters { <ip_address>; }; file "db.disa.mil"; }; Verify that each TSIG key-pair listed is only used by a single key statement: # cat <tsig_key_file> If any TSIG key-pair is being used by more than one key statement, this is a finding.
Create a separate TSIG key-pair for each key statement listed in the named.conf file. Configure the name server to utilize separate TSIG key-pairs for each key statement listed in the named.conf file. Restart the BIND 9.x process.
With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation. # ls –al <TSIG_Key_Location> -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If any of the TSIG keys are not owned by the above account, this is a finding.
Change the ownership of the TSIG keys to the named process is running as. # chown <named_proccess_owner> <TSIG_key_file>.
With the assistance of the DNS Administrator, identify all of the TSIG keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation. # ls –al <TSIG_Key_Location> -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If any of the TSIG keys are not group owned by the above account, this is a finding.
Change the group ownership of the TSIG keys to the named process group. # chgrp <named_proccess_group> <TSIG_key_file>
Verify permissions assigned to the TSIG keys enforce read-write access to the key owner and deny access to group or system users: With the assistance of the DNS Administrator, determine the location of the TSIG keys used by the BIND 9.x implementation: # ls –al <TSIG_Key_Location> -rw-------. 1 named named 76 May 10 20:35 tsig-example.key If the key files are more permissive than 600, this is a finding.
Change the permissions of the TSIG key files: # chmod 600 <TSIG_key_file>
With the assistance of the DNS Administrator, identify all of the cryptographic key files used by the BIND 9.x implementation. With the assistance of the DNS Administrator, determine the location of the cryptographic key files used by the BIND 9.x implementation. # ls –al <Crypto_Key_Location> -rw-------. 1 named named 76 May 10 20:35 crypto-example.key If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable. For DNSSEC Keys: Verify that the “Created” date is less than one year from the date of inspection: Note: The date format will be displayed in YYYYMMDDHHMMSS. # cat <DNSSEC_Key_File> | grep -i “created” Created: 20160704235959 If the “Created” date is more than one year old, this is a finding. For TSIG Keys: Verify with the ISSO/ISSM that the TSIG keys are less than one year old. If a TSIG key is more than one year old, this is a finding.
Generate new DNSSEC and TSIG keys. For DNSSEC keys: Use the newly generated keys to resign all of the zone files on the name server. For TSIG keys: Update the named.conf file with the new keys. Restart the BIND 9.X process.
Verify that the DNSSEC and TSIG keys used by the BIND 9.x implementation are FIPS 180-3 compliant. If the server is in a classified network, the DNSSEC portion of the requirement is Not Applicable. DNSSEC KEYS: Inspect the "named.conf" file and identify all of the DNSSEC signed zone files: zone "example.com" { file "signed_zone_file"; }; For each signed zone file identified, inspect the file for the "DNSKEY" records: 86400 DNSKEY 257 3 8 ( <KEY HASH> ) ; KSK; 86400 DNSKEY 256 3 8 ( <KEY HASH> ) ; ZSK; The fifth field in the above example identifies what algorithm was used to create the DNSKEY. If the fifth field the KSK DNSKEY is less than “8” (SHA256), this is a finding. If the algorithm used to create the ZSK is less than “8” (SHA256), this is a finding. TSIG KEYS: Inspect the "named.conf" file and identify all of the TSIG key statements: key tsig_example. { algorithm hmac-SHA256; include "tsig-example.key"; }; If each key statement does not use "hmac-SHA256" or a stronger algorithm, this is a finding.
Create new DNSSEC and TSIG keys using a FIPS 180-3 approved cryptographic algorithm that meets or exceeds the strength of SHA256
If the server is in a classified network, this is Not Applicable. With the assistance of the DNS Administrator, identify all of the DNSSEC keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS Administrator, determine the location of the DNSSEC keys used by the BIND 9.x implementation. # ls –al <DNSSEC_Key_Location> -r--------. 1 named named 76 May 10 20:35 DNSSEC-example.key If any of the DNSSEC keys are not owned by the above account, this is a finding.
Change the ownership of the DNSSEC keys to the named process is running as. # chown <named_proccess_owner> <DNSSEC_key_file>.
If the server is in a classified network, this is Not Applicable. With the assistance of the DNS Administrator, identify all of the DNSSEC keys used by the BIND 9.x implementation. Identify the account that the "named" process is running as: # ps -ef | grep named named 3015 1 0 12:59 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot With the assistance of the DNS Administrator, determine the location of the DNSSEC keys used by the BIND 9.x implementation. # ls –al <DNSSEC_Key_Location> -r--------. 1 named named 76 May 10 20:35 DNSSEC-example.key If any of the DNSSEC keys are not group owned by the above account, this is a finding.
Change the group ownership of the DNSSEC keys to the named process is running as. # chgrp <named_proccess_group> <DNSSEC_key_file>.
If the server is in a classified network, this is Not Applicable. Verify permissions assigned to the DNSSEC keys enforce read-only access to the key owner and deny access to group or system users: With the assistance of the DNS Administrator, determine the location of the DNSSEC keys used by the BIND 9.x implementation: # ls –al <DNSSEC_Key_Location> -r--------. 1 named named 76 May 10 20:35 DNSSEC-example.key If the key files are more permissive than 400, this is a finding.
Change the permissions of the DNSSEC key files: # chmod 400 <DNSSEC_key_file>
If the server is in a classified network, this is Not Applicable. Determine if the BIND 9.x server is configured to allow dynamic updates. Review the "named.conf" file for any instance of the "allow-update" statement. The following example disables dynamic updates: allow-update {none;}; If the BIND 9.x implementation is not configured to allow dynamic updates, verify with the SA that the ZSK private key is stored offline. If it is not, this is a finding. If the BIND 9.x implementation is configured to allow dynamic updates, verify that the ZSK private key is the only key stored on the name server. For each signed zone file, identify the ZSK "key id" number: # cat <signed_zone_file> | grep -i "zsk" ZSK; alg = ECDSAP256SHA256; key id = 22335 Using the ZSK "key id", verify that the only private key stored on the system matches the "key id" Kexample.com.+008+22335.private If any ZSK private keys exist on the server other than the one corresponding to the active ZSK pair, this is a finding.
Remove any ZSK private keys existing on the server other than the one corresponding to the active ZSK pair
If the server is in a classified network, this is Not Applicable. Determine if the BIND 9.x server is configured to allow dynamic updates. Review the "named.conf" file for any instance of the "allow-update" statement. The following example disables dynamic updates: allow-update {none;}; If the BIND 9.x implementation is not configured to allow dynamic updates, verify with the SA that the private ZSKs and private KSKs are stored offline, if not, this is a finding.
Remove any ZSK or KSK private key from any BIND 9.x server that does not support dynamic updates. Note: Any ZSK or KSK that is not needed to support dynamic updates should be stored offline in a secure location.
If the server is in a classified network, this is Not Applicable. With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server. An example dnssec-keygen key file will look like: Kns1.example.com_ns2.example.com.+161+28823.key OR Kns1.example.com_ns2.example.com.+161+28823.private For each key file identified, verify that the key file is owned by "root": # ls -al -r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key If the key file(s) are not owned by root, this is a finding.
Change the ownership of the keys to the root account. # chown root <key_file>.
If the server is in a classified network, this is Not Applicable. With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server. An example dnssec-keygen key file will look like: Kns1.example.com_ns2.example.com.+161+28823.key OR Kns1.example.com_ns2.example.com.+161+28823.private For each key file identified, verify that the key file is group-owned by "root": # ls –la -r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key If the key file(s) are not group owned by root, this is a finding.
Change the group ownership of the keys to the root group. # chgrp root <key_file>.
If the server is in a classified network, this is Not Applicable. With the assistance of the DNS Administrator, identify all dnssec-keygen key files that reside on the BIND 9.x server. An example dnssec-keygen key file will look like: Kns1.example.com_ns2.example.com.+161+28823.key OR Kns1.example.com_ns2.example.com.+161+28823.private For each key file identified, verify that the key file is owned by "root": # ls -al -r-------- 1 root root 77 Jul 1 15:00 Kns1.example.com_ns2.example.com+161+28823.key If the key files are more permissive than 400, this is a finding.
Change the permissions of the dnssec-keygen key files: # chmod 400 <key_file>
If the server is in a classified network, this is Not Applicable. Ensure that there are no private KSKs stored on the name sever. With the assistance of the DNS Administrator, obtain a list of all DNSSEC private keys that are stored on the name server. Inspect the signed zone files(s) and look for the KSK key id: DNSKEY 257 3 8 ( <hash_algorithm) ; KSK ; alg = ECDSAP256SHA256; key id = 52807 Verify that none of the identified private keys, are KSKs. An example private KSK would look like the following: Kexample.com.+008+52807.private If there are private KSKs stored on the name server, this is a finding.
Remove all private KSKs from the name server and ensure that they are stored offline in a secure location.
If the server is in a classified network, this is Not Applicable. If the server is forwarding all queries to the ERS, this is Not Applicable as the ERS validates. Verify that DNSSEC is enabled. Inspect the "named.conf" file for the following: dnssec-enable yes; If "dnssec-enable" does not exist or is not set to "yes", this is a finding. Verify that each zone on the name server has been signed. Identify each zone file that the name sever is responsible for and search each file for the "DNSKEY" entries: # less <signed_zone_file> 86400 DNSKEY 257 3 8 ( HASHED_KEY ) ; KSK; alg = ECDSAP256SHA256; key id = 31225 86400 DNSKEY 256 3 8 ( HASHED_KEY ) ; ZSK; alg = ECDSAP256SHA256; key id = 52179 Ensure that there are separate "DNSKEY" entries for the "KSK" and the "ZSK" If the "DNSKEY" entries are missing, the zone file is not signed. If the zone files are not signed, this is a finding.
Set the "dnssec-enable" option to yes. Sign each zone file that the name server is responsible for. Configure each zone the name server is responsible for to use a DNSSEC signed zone.
If the server is in a classified network, this is Not Applicable. Verify that there is a DS record set for each child zone defined in "/etc/named.conf" file. For each child zone listed in "/etc/named.conf" file, verify there is a corresponding "dsset-zone_name" file. If any child zone does not have a corresponding DS record set, this is a finding.
Sign each child zone. During the zone signing process, ensure that a DS record is created and is stored on the Parent zone name server.
If the server is in a classified network, this is Not Applicable. Note: This requirement does not validate the sig-validity-interval. This requirement ensures the signature validity period (i.e., the time from the signature’s inception until the signature’s expiration). It is recommended to ensure the Start of Authority (SOA) expire period (how long a secondary will still treat its copy of the zone data as valid if it cannot contact the primary.) is configured to ensure the SOA does not expire during the period of signature inception and signature expiration. With the assistance of the DNS Administrator, identify the RRSIGs that cover the DS resource records for each child zone. Each record will list an expiration and inception date, the difference of which will provide the validity period. The dates are listed in the following format: YYYYMMDDHHMMSS For each RRSIG identified, verify that the validity period is no less than two days and is no longer than seven days. If the validity period is outside of the specified range, this is a finding.
Resign the child zone files and have the zone administrator provide updated DS resource records for the child zone.
Verify that the core BIND 9.x server files are owned by the root or BIND 9.x process account. With the assistance of the DNS administrator, identify the following files: named.conf root hints master zone file(s) slave zone files(s) Note: The name of the root hints file is defined in named.conf. Common names for the file are root.hints, named.cache, or db.cache. If the identified files are not owned by the root or BIND 9.x process account, this is a finding.
Change the ownership of the files to the root or BIND 9.x process account. # chown <account_name> <file>
Verify that the core BIND 9.x server files are group owned by a group designated for DNS administration only. With the assistance of the DNS administrator, identify the following files: named.conf root hints master zone file(s) slave zone file(s) Note: The name of the root hints file is defined in named.conf. Common names for the file are root.hints, named.cache, or db.cache. If the identified files are not group owned by a group designated for DNS administration, this is a finding.
Change the ownership of the core BIND 9.x server files to the process account group. # chgrp (BIND 9.x process account) <file>
With the assistance of the DNS administrator, identify the following files: named.conf : rw-r----- root hints : rw-r----- master zone file(s): rw-r----- slave zone file(s): rw-rw---- Note: The name of the root hints file is defined in named.conf. Common names for the file are root.hints, named.cache, or db.cache. Verify that the permissions for the core BIND 9.x server files are at least as restrictive as listed above. If the identified files are not as least as restrictive as listed above, this is a finding.
Configure the permissions of each file to the following: named.conf : rw-r----- root hints : rw-r----- master zone file(s): rw-r----- slave zone file(s): rw-rw----
If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the BIND 9.x server is configured to use separate views and address space for internal and external DNS operations when operating in a split configuration. Inspect the "named.conf" file for the following: view "internal" { match-clients { <ip_address> | <address_match_list> }; zone "example.com" { type master; file "internals.example.com"; }; }; view "external" { match-clients { <ip_address> | <address_match_list> }; zone "example.com" { type master; file "externals.db.example.com"; allow-transfer { slaves; }; }; }; If the internal and external view statements are configured to use the same zone file, this is a finding. Inspect the zone file defined in the internal and external view statements. If any resource record is listed in both the internal and external zone files, this is a finding.
Edit the "named.conf" file. Configure the internal and external view statements to use separate zone files. Edit the internal and external zone files. Configure the zone file to use RRs designated for internal or external use. The zone files should not share any RR.
If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the external view of the BIND 9.x server is configured to only serve external hosts. Inspect the "named.conf" file for the following: view "external" { match-clients { <ip_address> | <address_match_list>; }; }; If the "match-clients" sub statement does not limit the external view to external hosts only, this is a finding.
Edit the "named.conf" file. Configure the external view statement to server external hosts only: view "external" { match-clients { <ip_address> | <address_match_list>; }; }; Restart the BIND 9.x process.
If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the BIND 9.x server is configured to use the "match-clients" sub statement to limit the reach of the internal view from the external view. Inspect the "named.conf" file for the following: view "internal" { match-clients { <ip_address> | <address_match_list>; }; }; If the "match-clients" sub statement is missing for the internal view, this is a finding. If the "match-clients" sub statement for the internal view does not limit the view to authorized hosts, this is a finding. If any of the IP addresses defined for the "match-clients" sub statement in the internal view are assigned to external hosts, this is a finding.
Edit the "named.conf" file. Configure the internal view statement to limit use authorized internal hosts: view "internal" { match-clients { <ip_address> | <address_match_list>; }; }; Remove any IP address that is assigned to an external host from the internal view statement. Restart the BIND 9.x process.
Severity Override Guidance: If the internal and external views are on separate network segments, this finding may be downgraded to a CAT II. If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the BIND 9.x server is configured to use separate views and address space for internal and external DNS operations when operating in a split configuration. Inspect the "named.conf" file for the following: view "internal" { match-clients { <ip_address> | <address_match_list> }; zone "example.com" { type master; file "internals.example.com"; }; }; view "external" { match-clients { <ip_address> | <address_match_list> }; zone "example.com" { type master; file "externals.db.example.com"; allow-transfer { slaves; }; }; }; If an external view is listed before an internal view, this is a finding. If the internal and external views are on the same network segment, this is a finding. Note: BIND 9.x reads the "named.conf" file from top to bottom. If a less stringent "match-clients" statement is processed before a more stringent "match-clients" statement, the more stringent statement will be ignored. With this in mind, all internal view statements should be listed before any external view statement in the "named.conf" file.
Edit the "named.conf" file. Configure the internal and external view statements to use separate network segments. Configure all internal view statements to be listed before any external view statement. Restart the BIND 9.x process.
If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. With the assistance of the DNS administrator, identify if the BIND 9.x implementation is using a hidden master name server, if it is not, this is Not Applicable. In a split DNS configuration that is using a hidden master name server, verify that the name server IP address is not listed in the zone file. With the assistance of the DNS administrator, obtain the IP address of the hidden master name server. Inspect each zone file used by the hidden master name server and its slave zones. If the IP address for the hidden master name server is listed in any of the zone files, this is a finding.
Edit the zone file(s). Remove all references to the hidden master name server. Restart the BIND 9.x process.
If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the split DNS implementation has been approved by the organizations Authorizing Official. With the assistance of the DNS administrator, obtain the Authorizing Official’s letter of approval for the split DNS implementation. If the split DNS implementation has not been approved by the organizations Authorizing Official, this is a finding.
Obtain approval for the split DNS implementation from the Authorizing Official.
If the server is in a classified network, this is Not Applicable. Note: This check only verifies for ZSK key file ownership. Permissions for key files are required under V-72451, BIND-9X-001132 and V-72461, BIND-9X-001142. For each signed zone file, identify the ZSK "key id" number: # cat <signed_zone_file> | grep -i "zsk" ZSK; alg = ECDSAP256SHA256; key id = 22335 Using the ZSK "key id", identify the private ZSK. Kexample.com.+008+22335.private Verify that the private ZSK is owned by root: # ls -l <ZSK_key_file> -r------- 1 root root 1776 Jul 3 17:56 Kexample.com.+008+22335.private If the key file is not owned by root, this is a finding.
Change the ownership of the ZSK private key to the root account. # chown root <key_file>
If the server is in a classified network, this is Not Applicable. Note: This check only verifies for ZSK key file ownership. Permissions for key files are required under V-72451, BIND-9X-001132 and V-72461, BIND-9X-001142. For each signed zone file, identify the ZSK "key id" number: # cat <signed_zone_file> | grep -i "zsk" ZSK; alg = ECDSAP256SHA256; key id = 22335 Using the ZSK "key id", verify the private ZSK. Kexample.com.+008+22335.private Verify that the private ZSK is owned by root: # ls -l <ZSK_key_file> -r------- 1 root root 1776 Jul 3 17:56 Kexample.com.+008+22335.private If the key file is not group owned by root, this is a finding.
Change the group ownership of the ZSK private key to the root group account. # chgrp root <key_file>
On an authoritative name sever, verify that each zone statement defined in the "named.conf" file contains an "allow-transfer" statement. Inspect the "named.conf" file for the following: zone example.com { allow-transfer { <ip_address_list>; }; }; If there is not an "allow-transfer" statement for each zone defined, or the list contains IP addresses that are not authorized for that zone, this is a finding. On a slave name server, verify that each zone statement defined in the "named.conf" file contains an "allow-transfer" statement. Inspect the "named.conf" file for the following: zone example.com { allow-transfer { none; }; }; If there is not an "allow-transfer" statement, or the statement is not set to "none", this is a finding.
For an authoritative name server: Configure each zone statement to allow transfers from authorized hosts: allow-transfer { <ip_address_list>; }; Restart the BIND 9.x process. For a secondary server: Configure each zone to deny zone transfer requests: allow-transfer { none; }; Restart the BIND 9.x process.
If the server is in a classified network, this is Not Applicable. With the assistance of the DNS Administrator, identify the RRSIGs that cover the DNSKEY resource record set for each zone. Each record will list an expiration and inception date, the difference of which will provide the validity period. The dates are listed in the following format: YYYYMMDDHHMMSS For each RRSIG identified, verify that the validity period is no less than two days and is no longer than seven days. If the validity period is outside of the specified range, this is a finding.
Resign each zone that is outside of the validity period. Restart the BIND 9.x process.
If the server is in a classified network, this is Not Applicable. If the server is on an internal, restricted network with reserved IP space, this is Not Applicable. With the assistance of the DNS Administrator, identify each internal DNS zone listed in the "named.conf" file. For each internal zone identified, inspect the signed zone file for the NSEC resource records: 86400 NSEC example.com. A RRSIG NSEC If the zone file does not contain an NSEC record for the zone, this is a finding.
Resign each zone that is missing NSEC records. Restart the BIND 9.x process.
Verify that each name server listed on the BIND 9.x server is authoritative for the domain it supports. Inspect the "named.conf" file and identify all of the zone files that the BIND 9.x server is using. zone "example.com" { file "zone_file"; }; Inspect each zone file and identify each NS record listed. 86400 NS ns1.example.com 86400 NS ns2.example.com With the assistance of the DNS Administrator, verify that each name server listed is authoritative for that domain. If there are name servers listed in the zone file that are not authoritative for the specified domain, this is a finding.
Edit the zone file(s). Remove any name server that the BIND 9.x server is not authoritative for. Restart the BIND 9.x process.
Verify that each name server listed on the BIND 9.x server is on a separate network segment. Inspect the "named.conf" file and identify all of the zone files that the BIND 9.x server is using. zone "example.com" { file "zone_file"; }; Inspect each zone file and identify each A record for each NS record listed: ns1.example.com 86400 IN A 192.168.1.4 ns2.example.com 86400 IN A 192.168.2.4 If there are name servers listed in the zone file that are not on different network segments for the specified domain, this is a finding.
Edit the zone file and configure each name server on a separate network segment.
Verify that the SOA record is at the same version for all authoritative servers for a specific zone. With the assistance of the DNS administrator, identify each name server that is authoritative for each zone. Inspect each zone file that the server is authoritative for and identify the following: example.com. 86400 IN SOA ns1.example.com. root.example.com. (17760704;serial) If the SOA "serial" numbers are not identical on each authoritative name server, this is a finding.
Edit the zone file. Update the SOA record serial number.
If this is an authoritative name server, this is Not Applicable. Identify the local root zone file in named.conf: zone "." IN { type hint; file "<file_name>" }; Examine the local root zone file. If the local root zone file lists domains outside of the name server’s primary domain, this is a finding.
Edit the local root zone file. Remove any reference to a domain that is outside of the name server’s primary domain. Restart the BIND 9.x process.
If this server is a caching name server, this is Not Applicable. Ensure there is not a local root zone on the name server. Inspect the "named.conf" file for the following: zone "." IN { type hint; file "<file_name>" }; If the file name identified is not empty or does exist, this is a finding.
Remove the local root zone file from the name server.
Verify that the zone files used by the BIND 9.x server do not contain resource records for a domain in which the server is not authoritative. The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. Inspect the "named.conf" file to identify the zone files, for which the server is authoritative: zone example.com { file "db.example.com.signed"; }; Inspect each zone file for which the server is authoritative. If there are CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms without an AO-approved and documented mission need, this is a finding. If a zone file contains records that resolve to another zone, excluding the above, this is a finding.
In the case of third-party CDNs or cloud offerings, document the mission need with the AO. Edit the zone file. Remove any record that points to a different zone, with the exception of approved CDNs or cloud offerings. Restart the BIND 9.x process.
Verify that the zone files used by the BIND 9.x server do not contain resource records for a domain in which the server is not authoritative. Inspect the "named.conf" file for the following: zone example.com { file "db.example.com.signed"; }; Inspect each zone file for "CNAME" records and verify with the DNS administrator that these records are less than 6 months old. The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. If there are CNAME records that point to third-party Content Delivery Networks (CDNs) or cloud computing platforms without an AO-approved and documented mission need, this is a finding. If a CNAME record is more than six months old, excluding the above, this is a finding.
In the case of third-party CDNs or cloud offerings, document the mission need with the AO. Edit the zone file. Remove CNAME records that are older than six months that do not meet the CDN or cloud offering criteria. Restart the BIND 9.x process.
If the server is not a caching server, this is Not Applicable. This is Not Applicable to SIPR. Note: The use of the DREN Enterprise Recursive DNS (Domain Name System) servers, as mandated by the DoDIN service provider Defense Research and Engineering Network (DREN), meets the intent of this requirement. Verify that the server is configured to forward all DNS traffic to the DISA Enterprise Recursive Service (ERS) anycast IP addresses ( <IP_ADDRESS_LIST>; ): Inspect the "named.conf" file for the following: forward only; forwarders { <IP_ADDRESS_LIST>; }; If the "named.conf" options are not set to forward queries only to the ERS anycast IPs, this is a finding. Note: "<IP_ADDRESS_LIST>" should be replaced with the current ERS IP addresses.
Configure the BIND 9.x caching name server to utilize the DISA ERS anycast IP addresses. Edit the "named.conf" file and add the following to the global options statement: forward only; forwarders { <IP_ADDRESS_LIST>; }; Note: "<IP_ADDRESS_LIST>" should be replaced with the current ERS IP addresses. Restart the BIND 9.x process.