STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to BIND 9.x Security Technical Implementation Guide

V-275936

CAT II (Medium)

The BIND 9.x server implementation must have fetches-per-zone enabled.

Rule ID

SV-275936r1156959_rule

STIG

BIND 9.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

The fetches-per-zone option in BIND 9.x is a configuration parameter that controls the maximum number of simultaneous iterative queries a recursive resolver can send to a single authoritative server for a specific domain. This helps protect authoritative servers from being overwhelmed by queries, especially during a denial-of-service (DoS) attack.

Check Content

Verify fetches-per-zone is enabled with an organization-defined number. 

Inspect the named.conf file for the following:

options {
fetches-per-zone <integer> drop ;

If fetches-per-zone is not enabled and set to drop, this is a finding.

Fix Text

Modify the BIND configuration file (/etc/named.conf ).

Add the fetches-per-zone option to the options section of the configuration file:
 
fetches-per-zone <integer> drop; 
 
After making changes, reload or restart BIND to apply the new settings.