On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.

From BIND 9.x Security Technical Implementation Guide

Associated with: CCI-000366

SV-87043r1_rule On the BIND 9.x server the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.

Vulnerability discussion

Hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. Outgoing DNS messages should be sent from a random port to minimize the risk of an attacker's guessing the outgoing message port and sending forged replies.

Check content

Verify that the BIND 9.x server does not limit outgoing DNS messages to a specific port. Inspect the "named.conf" file for the any instance of the "port" flag: options { listen-on port 53 { ; }; listen-on-v6 port 53 { ; }; }; If any "port" flag is found outside of the "listen-on" or "listen-on-v6" statements, this is a finding.

Fix text

Edit the "named.conf" file. Configure the BIND 9.x server to only use the "port" flag with the "listen-on" and "listen-on-v6" statements: options { listen-on port 53 { ; }; listen-on-v6 port 53 { ; }; }; Restart the BIND 9.x process.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.