The BIND 9.x server implementation must have QNAME minimization set to "strict".
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-275935 | BIND-9X-002440 | SV-275935r1124025_rule | CCI-000366 | medium |
| Description | ||||
| QNAME minimization limits the amount of information sent in DNS queries to intermediate nameservers, improving privacy by reducing the potential for DNS leak. It modifies the flow of DNS queries to reveal only what is necessary for the current server to find the next one in the resolution chain. | ||||
| STIG | Date | |||
| BIND 9.x Security Technical Implementation Guide | 2026-02-25 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V3R2 · disa_xccdf · related
Details
Check Text (C-275935r1124025_chk)
Verify QNAME minimization is set to "strict".
Inspect the named.conf file for the following:
options {
qname-minimization strict;
If the qname minimization is not set to "strict", this is a finding.
Fix Text (F-79942r1123958_fix)
Edit the named.conf file
options {
qname-minimization strict;
};
After making changes, save the named.conf file and restart the BIND service to apply the changes.