From BIND 9.x Security Technical Implementation Guide
Part of SRG-APP-000246-DNS-000035
Associated with: CCI-001094
Any host that can query a resolving name server has the potential to poison the servers name cache or take advantage of other vulnerabilities that may be accessed through the query service. The best way to prevent this type of attack is to limit queries to internal hosts, which need to have this service available to them.
This check is only applicable to caching name servers. Verify the allow-query and allow-recursion phrases are properly configured. Inspect the "named.conf" file for the following: allow-query {trustworthy_hosts;}; allow-recursion {trustworthy_hosts;}; The name of the ACL does not need to be "trustworthy_hosts" but the name should match the ACL name defined earlier in "named.conf" for this purpose. If not, this is a finding. Verify non-internal IP addresses do not appear in either the referenced ACL (e.g., trustworthy_hosts) or directly in the statements themselves. If non-internal IP addresses appear, this is a finding.
Configure the caching name server to accept recursive queries only from the IP addresses and address ranges of known supported clients. Edit the "named.conf" file and add the following to the options statement: allow-query {trustworthy_hosts;}; allow-recursion {trustworthy_hosts;}; Restart the BIND 9.x process
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer