STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to BIND 9.x Security Technical Implementation Guide

V-275938

CAT II (Medium)

The host running a BIND 9.x implementation must have DNS cookies enabled.

Rule ID

SV-275938r1156959_rule

STIG

BIND 9.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

DNS cookies can help prevent spoofing and cache poisoning attacks by verifying the identity of both the client and server. They do this by including a cryptographic identifier (the cookie) in DNS messages, which can be verified in future messages. This makes it difficult for an attacker to learn the cookie values and thus spoof them.

Check Content

Verify answer-cookie is enabled.

Inspect the named.conf file for the following:

options {
answer-cookie yes;

If answer-cookie is missing or set to "no", this is a finding.

Fix Text

Edit the named.conf file:

    options {
       answer-cookie yes;
    };

After making changes, save the named.conf file and restart the BIND service to apply the changes.