A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-207558	SRG-APP-000447-DNS-000068	BIND-9X-001060	SV-207558r879818_rule	2024-02-15	2

Description
A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. Attacks may be generated by entering invalid data into DNS transactions, in the hopes that the data will not be handled correctly and will allow a vulnerable condition to be exploited. To safeguard against this, all untrusted data entered in DNS transactions (e.g., DNS queries) should be checked for validity before being processed further.

Description

A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. Attacks may be generated by entering invalid data into DNS transactions, in the hopes that the data will not be handled correctly and will allow a vulnerable condition to be exploited. To safeguard against this, all untrusted data entered in DNS transactions (e.g., DNS queries) should be checked for validity before being processed further.

ℹ️ Check
If the server is not a caching name server, this is Not Applicable. If the server is in a classified network, this is Not Applicable. If the caching name server is only forwarding to the DISA ERS for query resolution and is not authoritative for any zones, DNSSEC awareness is not required since the ERS is validating. Verify the server is configured to use DNSSEC validation for all DNS queries. Inspect the "named.conf" file for the following: options { dnssec-validation yes; dnssec-enable yes; (this requirement is enforced with BIND-9X-001200. }; managed-keys { "." initial-key 257 3 8 "<root-trust-anchor-data>"; }; If "dnssec-enable" is not set to "yes" or is missing, this is a finding. If "dnssec-validation" is not set to "yes" or is missing, this is a finding. If the "managed-keys" statement is missing, this is a finding. Note: The <root-trust-anchor-data> should be replaced with the actual trust anchor.

ℹ️ Check

If the server is not a caching name server, this is Not Applicable. If the server is in a classified network, this is Not Applicable. If the caching name server is only forwarding to the DISA ERS for query resolution and is not authoritative for any zones, DNSSEC awareness is not required since the ERS is validating. Verify the server is configured to use DNSSEC validation for all DNS queries. Inspect the "named.conf" file for the following: options { dnssec-validation yes; dnssec-enable yes; (this requirement is enforced with BIND-9X-001200. }; managed-keys { "." initial-key 257 3 8 "<root-trust-anchor-data>"; }; If "dnssec-enable" is not set to "yes" or is missing, this is a finding. If "dnssec-validation" is not set to "yes" or is missing, this is a finding. If the "managed-keys" statement is missing, this is a finding. Note: The <root-trust-anchor-data> should be replaced with the actual trust anchor.

✔️ Fix
Enable DNSSEC validation on the name server. Set the "dnssec-validation" sub statement in the global options block to "yes". Set the “dnssec-enable” to “yes”. Configure the "managed-keys" statement to use the root domains trust anchor. Restart the BIND 9.x process.