The BIND 9.x server implementation must have QNAME minimization set to "strict".
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-275935 | BIND-9X-002440 | SV-275935r1124025_rule | CCI-000366 | medium |
| Description | ||||
| QNAME minimization limits the amount of information sent in DNS queries to intermediate nameservers, improving privacy by reducing the potential for DNS leak. It modifies the flow of DNS queries to reveal only what is necessary for the current server to find the next one in the resolution chain. | ||||
| STIG | Date | |||
| BIND 9.x Security Technical Implementation Guide | 2026-02-25 | |||
Details
Check Text (C-275935r1124025_chk)
Verify QNAME minimization is set to "strict".
Inspect the named.conf file for the following:
options {
qname-minimization strict;
If the qname minimization is not set to "strict", this is a finding.
Fix Text (F-79942r1123958_fix)
Edit the named.conf file
options {
qname-minimization strict;
};
After making changes, save the named.conf file and restart the BIND service to apply the changes.