A BIND 9.x implementation operating in a split DNS configuration must be approved by the organizations Authorizing Official.

From BIND 9.x Security Technical Implementation Guide

Part of SRG-APP-000516-DNS-000500

Associated with: CCI-000366

SV-87117r1_rule A BIND 9.x implementation operating in a split DNS configuration must be approved by the organizations Authorizing Official.

Vulnerability discussion

BIND 9.x has implemented an option to use "view" statements to allow for split DNS architecture to be configured on a single name server. If the split DNS architecture is improperly configured there is a risk that internal IP addresses and host names could leak into the external view of the DNS server. Allowing private IP space to leak into the public DNS system may provide a person with malicious intent the ability to footprint your network and identify potential attack targets residing on your private network.

Check content

If the BIND 9.x name server is not configured for split DNS, this is Not Applicable. Verify that the split DNS implementation has been approved by the organizations Authorizing Official. With the assistance of the DNS administrator, obtain the Authorizing Official’s letter of approval for the split DNS implementation. If the split DNS implementation has not been approved by the organizations Authorizing Official, this is a finding.

Fix text

Obtain approval for the split DNS implementation from the Authorizing Official.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer