On a BIND 9.x server, all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272397 | BIND-9X-001410 | SV-272397r1124056_rule | CCI-000366 | medium |
| Description | ||||
| A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. The DNS architecture needs to maintain one name server whose zone records are correct and the cache is not poisoned. In this effort, the authoritative name server may not forward queries; one of the ways to prevent this is to delete the root hints file. When authoritative servers are sent queries for zones that they are not authoritative for and they are configured as a noncaching server (as recommended), they can either be configured to return a referral to the root servers or to refuse to answer the query. The requirement is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources for its intended purpose of answering authoritatively for its zone. | ||||
| STIG | Date | |||
| BIND 9.x Security Technical Implementation Guide | 2026-02-25 | |||
Details
Check Text (C-272397r1124056_chk)
If this server is a caching name server, this is not applicable.
Verify there is not a local root zone on the name server.
Inspect the "named.conf" file for the following:
zone "." IN {
type hint;
file "<file_name>"
};
If the file name identified is not empty or does exist, this is a finding.
Fix Text (F-76354r1123503_fix)
Remove the local root zone file from the name server.