UCF STIG Viewer Logo

In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259353 WDNS-22-000022 SV-259353r945259_rule Medium
Description
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve resource records (RRs) pertaining to hosts with public services (web servers that serve external web pages or provide business-to-consumer services, mail servers, etc.). The other set, called internal name servers, is to be located within the firewall and should be configured so the servers are not reachable from outside and hence provide naming services exclusively to internal clients.
STIG Date
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide 2024-01-09

Details

Check Text ( C-63092r939762_chk )
Consult with the system administrator to review the external Windows DNS Server's DOD approved firewall policy.

The inbound TCP and UDP ports 53 rule should be configured to only restrict IP addresses from the internal network.

If the DOD-approved firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall.

If neither the DNS server's DOD approved firewall policy nor the network firewall is configured to block internal hosts from querying the external DNS server, this is a finding.
Fix Text (F-63000r939763_fix)
Configure the external DNS server's firewall policy, or the network firewall, to block queries from internal hosts.