The BIND 9.x server implementation must have fetches-per-zone enabled.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-275936 | SRG-APP-000516-DNS-000109 | BIND-9X-002450 | SV-275936r1124069_rule | 2025-07-24 | 3 |
| Description |
|---|
| The fetches-per-zone option in BIND 9.x is a configuration parameter that controls the maximum number of simultaneous iterative queries a recursive resolver can send to a single authoritative server for a specific domain. This helps protect authoritative servers from being overwhelmed by queries, especially during a denial-of-service (DoS) attack. |
| ℹ️ Check |
|---|
| Verify fetches-per-zone is enabled with an organization-defined number. Inspect the named.conf file for the following: options { fetches-per-zone <integer> drop ; If fetches-per-zone is not enabled and set to drop, this is a finding. |
| ✔️ Fix |
|---|
| Modify the BIND configuration file (/etc/named.conf ). Add the fetches-per-zone option to the options section of the configuration file: fetches-per-zone <integer> drop; After making changes, reload or restart BIND to apply the new settings. |