The Exchange Edge server must point to a trusted list of DNS servers for external and internal resolution.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259636	EX19-ED-000224	SV-259636r942222_rule		Medium

Description
To mitigate the risk of possible erroneous queries that may have been coopted by bad actors, the Exchange Edge server must use DNS servers that utilize DNSSEC to resolve external hosts and internal hosts before routing messages to the appropriate destination.

STIG	Date
Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide	2024-01-10

Details

Check Text ( C-63375r942220_chk )
Verify in the EDSP or consult with the appropriate personnel who manage DNS which servers to use for Internal and External DNS resolution. If the server is not multi-homed, this does not apply. In Exchange Management Shell, run the following command: Get-TransportService \|Format-List dns If "ExternalDNSAdapterEnabled : True", and no GUID exists, this is a finding. If "ExternalDNSAdapterEnabled : False", and the property "ExternalDNSServers" is not populated with the documented trusted DNS servers for External DNS queries, this is a finding. If "InternalDNSAdapterEnabled : True" and no GUID exists, this is a finding. If "InternalDNSAdapterEnabled : False" and the property "InternalDNSServers" is not populated the documented trusted DNS servers for Internal DNS queries, this is a finding.

Check Text ( C-63375r942220_chk )

Verify in the EDSP or consult with the appropriate personnel who manage DNS which servers to use for Internal and External DNS resolution.

If the server is not multi-homed, this does not apply.

In Exchange Management Shell, run the following command:

Get-TransportService |Format-List *dns*

If "ExternalDNSAdapterEnabled : True", and no GUID exists, this is a finding.

If "ExternalDNSAdapterEnabled : False", and the property "ExternalDNSServers" is not populated with the documented trusted DNS servers for External DNS queries, this is a finding.

If "InternalDNSAdapterEnabled : True" and no GUID exists, this is a finding.

If "InternalDNSAdapterEnabled : False" and the property "InternalDNSServers" is not populated the documented trusted DNS servers for Internal DNS queries, this is a finding.

Fix Text (F-63283r942221_fix)
Verify in the EDSP or consult with the appropriate personnel who manage which DNS servers to use for Internal and External DNS resolution. If a GUID for the External and Internal network adapters are applicable, then gather the values to populate the appropriate properties with the following commands: netsh lan show interfaces This will provide the adapters and the GUIDs for each. Identify the external and internal adapters for the Edge server. Once gathered, run the following: Set-TransportService -Identity -ExternalDNSAdapterEnabled $true -ExternalDNSAdapterGuid -InternalDNSAdapterEnabled $true -InternalDNSAdapterGuid If the "ExternalDNSAdapterEnabled" or InternalDNSAdapterEnabled are set to false, use the following to set the DNS configuration: Set-TransportService -Identity -InternalDNSServers @{add="Trusted DNS IP1","Trusted DNS IP2"} Set-TransportService -Identity -ExternalDNSServers @{add="Trusted DNS IP1","Trusted DNS IP2"}

Fix Text (F-63283r942221_fix)

Verify in the EDSP or consult with the appropriate personnel who manage which DNS servers to use for Internal and External DNS resolution.

If a GUID for the External and Internal network adapters are applicable, then gather the values to populate the appropriate properties with the following commands:

netsh lan show interfaces

This will provide the adapters and the GUIDs for each. Identify the external and internal adapters for the Edge server.

Once gathered, run the following:

Set-TransportService -Identity -ExternalDNSAdapterEnabled $true -ExternalDNSAdapterGuid -InternalDNSAdapterEnabled $true -InternalDNSAdapterGuid

If the "ExternalDNSAdapterEnabled" or InternalDNSAdapterEnabled are set to false, use the following to set the DNS configuration:

Set-TransportService -Identity -InternalDNSServers @{add="Trusted DNS IP1","Trusted DNS IP2"}
Set-TransportService -Identity -ExternalDNSServers @{add="Trusted DNS IP1","Trusted DNS IP2"}