From Domain Name System (DNS) Security Requirements Guide
Part of SRG-APP-000333-DNS-000104
Associated with: CCI-002201
Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. Of course, these vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. Thus, it makes good business sense to run the latest version of name server software because theoretically it is the safest version.
Review the DNS configuration files. Verify the DNS name server is explicitly configured to refuse queries asking for its version information. If the name server is not configured to explicitly refuse queries asking for its version information, this is a finding.
Configure the name server to refuse queries for its version information.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer