|
Name |
DNS BIND
Benchmark |
|
Version |
Version 1.0 |
|
Status |
Final |
| Creation
Date |
2006-January |
| Revision
Date |
2006-01-05 |
| Product
Category |
Domain Name System |
| Vendor |
Internet Systems Counsortium |
| Product |
BIND 9.3.1, BIND 9.2.4 |
| Product
Version |
BIND 9.3.1, BIND 9.2.4 |
| Product
Role |
Domain Name Server |
|
Checklist
Summary |
This benchmark is intended to assist administrators in securing the BIND (Berkeley Internet Name Domain) an openly redistributable implementation of the Domain Name
Service (“DNS”) protocols. While the majority of the recommendations and steps
outlined in this document apply to most Unix systems, it should be noted that specific
syntax for some commands will vary for some Unix platforms so the reader is
encouraged to be familiar with the differences specific to their individual platforms. The
provided excerpts have been tested using BIND 9.3.1 on Red Hat Fedora Core 4 and
BIND 9.2.4 on Solaris 10. The configuration and security controls provided have been developed
through a consensus effort of best practices recommended by a majority of participating
security experts.
|
| Known
Issues |
Not Available |
| Target
Audience |
The audience for the document is at the level of an
experienced system administrator, with some specific experience in administering the
BIND software. |
| Target
Operational Environment |
Enterprise |
| Checklist
Installation Tools |
Not
Available. |
| Rollback
Capability |
Not Available. |
| Testing
Information |
Not Available. |
| NIAP/CMVP
Status |
Not Available. |
| Regulatory
Compliance |
Not
Available. |
Comments,
Warnings, Disclaimer, Miscellaneous
|
Refer to Known Issues. |
| Disclaimer |
Differs
for Public and Private consumers, please read
disclaimer information from the CIS web site
located at:
http://www.cisecurity.org/sub_form.html |
| Product
Support |
http://www.cisecurity.org/ |
| Submitting
Organization/Authors |
The Center for Internet Security (CIS) |
| Point
of Contact |
Not Available |
| Sponsor |
Not Available |
| Licensing |
Differs
for Public and Private consumers, please read
licensing information from the CIS web site
located at
http://www.cisecurity.org/sub_form.html
|
| Checklist
Homepage |
http://www.cisecurity.org/ |
| Download
Package |
http://www.cisecurity.org/sub_form.html |
| Integrity |
sha1
(CIS_BIND_Benchmark_v1.0.pdf) =
d34f2ee5f0d5086a35957fd6ce6ea6c5300d3f3f
sha256 (CIS_BIND_Benchmark_v1.0.pdf) =
66adc6cd547a836e4275e8462a40b3bb5b4a206535
48aa8277cdcb6ac063cb52
|
| Change
History |
Version
1.0: 2006-01-05
Version
1.0: 2004-09-18
|
| Dependency/Requirement |
Not
Available |
| References |
Internet
Systems Consortium BIND site: http://www.isc.org/sw/bind
NIST SP 800-81, Secure Domain Name System (DNS)
Deployment Guide: http://csrc.nist.gov/publications/
drafts/DRAFT-SP800-81.pdf
Paul Albitz and Cricket Liu, DNS and BIND, Fourth
Edition, O’Reilly, 2001.
DNS, BIND, DHCP, LDAP, and Directory Services:
http://www.bind9.net/
“DNS and BIND Security”:
http://www.menandmice.com/
docs/DNS&BIND_security.pdf
“BIND Security”:
http://docs.hp.com/en/B2355-90775/ch02s15.html
“DNS Security”:
http://www.whitehats.ca/main/members/Jeff/
jeff_dns_security/jeff_dns_security.html
“Secure Dynamic DNS Howto”:
http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html
DNSSEC Information:
http://www.dnssec.net/
NSA SELinux site:
http://www.nsa.gov/selinux/
RedHat SELinux article:
http://www.redhat.com/magazine/
006apr05/features/selinux/
RFC 2136, Dynamic Updates in the Domain Name
System (DNS UPDATE): http://www.ietf.org/rfc/rfc2136.txt
|
| NIST
Identifier |
1090 |
