On a BIND 9.x server, all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-272397 | SRG-APP-000516-DNS-000102 | BIND-9X-001410 | SV-272397r1124056_rule | 2025-07-24 | 3 |
| Description |
|---|
| A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. The DNS architecture needs to maintain one name server whose zone records are correct and the cache is not poisoned. In this effort, the authoritative name server may not forward queries; one of the ways to prevent this is to delete the root hints file. When authoritative servers are sent queries for zones that they are not authoritative for and they are configured as a noncaching server (as recommended), they can either be configured to return a referral to the root servers or to refuse to answer the query. The requirement is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources for its intended purpose of answering authoritatively for its zone. |
| ℹ️ Check |
|---|
| If this server is a caching name server, this is not applicable. Verify there is not a local root zone on the name server. Inspect the "named.conf" file for the following: zone "." IN { type hint; file "<file_name>" }; If the file name identified is not empty or does exist, this is a finding. |
| ✔️ Fix |
|---|
| Remove the local root zone file from the name server. |