U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

CIS ISC BIND DNS Server 9.11 Benchmark 1.0.0 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
BIND 9.x cpe:/a:isc:bind:9.0 (View CVEs)

Checklist Highlights

Checklist Name:
CIS ISC BIND DNS Server 9.11 Benchmark
Checklist ID:
1144
Version:
1.0.0
Type:
Compliance
Review Status:
Final
Authority:
Third Party: Center for Internet Security (CIS)
Original Publication Date:
10/23/2020

Checklist Summary:

This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate ISC (Internet Systems Consortium) BIND (Berkeley Internet Name Domain) DNS Server 9.11 running on Linux. There are several environment variables defined to identify the BIND configuration files and directory paths which may differ for each installation. The variables are referenced by audit and remediation steps in order to make the benchmark as independent of installation specifics as reasonable. The directory paths should not include a trailing slash after the directory name. $CONFIG_FILES – List of the primary configuration file and all included configuration files. Typically, /etc/named.conf and other included files. A recursive search for the “include” directive should locate all configuration files. $ZONE_FILES – All zone files referenced in the configuration files regardless of type. $BIND_HOME - Directory under which BIND runs, typically /var/named or a chrooted equivalent. $RUNDIR – Directory for temporary run time files, typically /var/run/named, /run/named or a chrooted equivalent. $DYNDIR – Directory for managed keys which are dynamically updated. Typically, /var/named/dynamic or a chrooted equivalent. $SLAVEDIR – Directory for dynamically updated slave zone files. Typically, /var/named/slaves. $DATADIR – Directory for run time statistics. $LOGDIR – Directory for log files. Typically, /var/named/slaves $TMPDIR – Directory for temporary files. Typically, /tmp $KEYDIR – Directory for signing key files.

Checklist Role:

  • DNS Server
  • Domain Name Server

Known Issues:

Not provided.

Target Audience:

This document, CIS ISC BIND DNS Server Benchmark, provides prescriptive guidance for establishing a secure configuration posture for the ISC BIND DNS Server versions 9.11 running on Linux. This guide was tested using BIND version 9.11 installed from rpm packages on CentOS Linux 8.1. To obtain the latest version of this guide, please visit http://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

feedback@cisecurity.org

Sponsor:

Not provided.

Licensing:

Not provided.

Change History: 

new checklist - 2/28/24
updated status to FINAL - 3/28/24

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 03/28/2024