The BIND 9.x server implementation must have fetches-per-zone enabled.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-275936 | SRG-APP-000516-DNS-000109 | BIND-9X-002450 | SV-275936r1156959_rule | 2026-05-01 | 3 |
Description
The fetches-per-zone option in BIND 9.x is a configuration parameter that controls the maximum number of simultaneous iterative queries a recursive resolver can send to a single authoritative server for a specific domain. This helps protect authoritative servers from being overwhelmed by queries, especially during a denial-of-service (DoS) attack.
ℹ️ Check
Verify fetches-per-zone is enabled with an organization-defined number.
Inspect the named.conf file for the following:
options {
fetches-per-zone <integer> drop ;
If fetches-per-zone is not enabled and set to drop, this is a finding.
✔️ Fix
Modify the BIND configuration file (/etc/named.conf ).
Add the fetches-per-zone option to the options section of the configuration file:
fetches-per-zone <integer> drop;
After making changes, reload or restart BIND to apply the new settings.