Windows DNS response rate limiting (RRL) must be enabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259417 | WDNS-22-000120 | SV-259417r945369_rule | Medium |
| Description |
|---|
| This setting can prevent someone from sending a denial-of-service attack using the DNS servers. For instance, a bot net can send requests to the DNS server using the IP address of a third computer as the requestor. Without RRL, the DNS servers might respond to all the requests, flooding the third computer. |
| STIG | Date |
|---|---|
| Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide | 2024-01-09 |
Details
| Check Text ( C-63156r939954_chk ) |
|---|
| As an administrator, run PowerShell and enter the following command: "Get-DnsServerResponseRateLimiting". If "Mode" is not set to "Enable", this is a finding. |
| Fix Text (F-63064r939955_fix) |
|---|
| As an administrator, run PowerShell and enter the command "Set-DnsServerResponseRateLimiting" to apply default values or "Set-DnsServerResponseRateLimiting -WindowInSec 7 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8". These settings are just an example. For more information, go to: https://learn.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverresponseratelimiting?view=windowsserver2022-ps |