The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-207534 | BIND-9X-001002 | SV-207534r879887_rule | CCI-000366 | medium |
| Description | ||||
| Hosts that run the name server software should not provide any other services. Unnecessary services running on the DNS server can introduce additional attack vectors leading to the compromise of an organization’s DNS architecture. | ||||
| STIG | Date | |||
| BIND 9.x Security Technical Implementation Guide | 2024-02-15 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-207534r879887_chk)
Verify that the BIND 9.x server is dedicated for DNS traffic:
With the assistance of the DNS administrator, identify all of the processes running on the BIND 9.x server:
# ps -ef | less
If any of the identified processes are not in support of normal OS functionality or in support of the BIND 9.x process, this is a finding.
Fix Text (F-7789r283657_fix)
Disable or uninstall all non-DNS related applications from the BIND 9.x server.