On the BIND 9.x server, the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-272402 | SRG-APP-000516-DNS-000110 | BIND-9X-001490 | SV-272402r1124060_rule | 2025-07-24 | 3 |
| Description |
|---|
| OS configuration practices as issued by the U.S. Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD), based on identified vulnerabilities that pertain to the application profile into which the name server software fits should be always followed. In particular, hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts should be 53/udp and 53/tcp. Outgoing DNS messages should be sent from a random port to minimize the risk of an attacker guessing the outgoing message port and sending forged replies. |
| ℹ️ Check |
|---|
| Verify that the BIND 9.x server does not limit outgoing DNS messages to a specific port. Inspect the "named.conf" file. The "query-source" and "query-source-v6" must not limit the ports available to be used. options { query-source address <v4_address>; query-source-v6 address <v6_address>; }; If the port flag is used on the query-source address or query-source-v6 address, this is a finding. |
| ✔️ Fix |
|---|
| Edit the "named.conf" file. Configure the BIND 9.x server to not specify ports for the query-source address or query-source-v6 address statements: options { query-source address <v4_address>; query-source-v6 address <v6_address>; }; Restart the BIND 9.x process. |