| V-58593 | High | The Windows 2008 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record. | Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly... |
| V-58597 | Medium | All authoritative name servers for a zone must have the same version of zone information. | The only protection approach for content control of a DNS zone file is the use of a zone file integrity checker. The effectiveness of integrity checking using a zone file integrity checker depends... |
| V-58641 | Medium | The Windows 2008 DNS Server must be configured to enforce authorized access to the corresponding private key. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and... |
| V-58621 | Medium | The Windows 2008 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months. | The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an... |
| V-58643 | Medium | The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run. | To enable dnssec (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other... |
| V-58649 | Medium | The Windows 2008 DNS Server must implement a local cache of revocation data for PKI authentication in the event revocation information via the network is not accessible. | Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
SIG(0) is used for... |
| V-58595 | Medium | All authoritative name servers for a zone must be located on different network segments. | Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on... |
| V-58577 | Medium | The Windows DNS name servers for a zone must be geographically dispersed. | In addition to network-based separation, authoritative name servers should be dispersed geographically as well. In other words, in addition to being located on different network segments, the... |
| V-58625 | Medium | AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware. | DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. With this in... |
| V-58605 | Medium | In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. | Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers.
One set, called external... |
| V-58607 | Medium | In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. | Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers.
One set, called external... |
| V-58609 | Medium | Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. | Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control sub statement designating the list of hosts from which zone transfer... |
| V-58553 | Medium | The Windows 2008 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The... |
| V-58573 | Medium | The Windows 2008 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited. | Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a... |
| V-58661 | Medium | WINS lookups must be disabled on the Windows 2008 DNS Server. | The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. If/when WINS lookups are enabled, the validity of the data becomes... |
| V-58707 | Medium | The Windows 2008 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions. | DNS zone data for which a Windows 2008 DNS server is authoritative should represent the network for which it is responsible. If a Windows 2008 DNS server hosts zone records for other networks or... |
| V-58579 | Medium | The Windows 2008 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries. | A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers... |
| V-58237 | Medium | The Windows 2008 DNS Server must restrict incoming dynamic update requests to known clients. | Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) on any system.
A DNS server's function requires it to be able to handle multiple sessions at a time so... |
| V-58697 | Medium | The Windows 2008 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems. | Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example,... |
| V-58695 | Medium | The Windows 2008 DNS Server must not contain zone records that have not been validated in over a year. | If zone information has not been validated in over a year, then there is no assurance that it is still valid. If invalid records are in a zone, then an adversary could potentially use their... |
| V-58693 | Medium | The Windows 2008 DNS Server must protect secret/private cryptographic keys while at rest. | Information at rest refers to the state of information when it is located on a secondary storage device within an organizational information system. Mobile devices, laptops, desktops, and storage... |
| V-58699 | Medium | The Windows 2008 DNS Server must use DNS Notify to prevent denial of service through increase in workload. | In the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to... |
| V-58547 | Medium | The Windows 2008 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator. | Failing to act on the validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, by the use of... |
| V-58737 | Medium | The DNS Name Server software must be configured to refuse queries for its version information. | Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take... |
| V-58543 | Medium | The Windows 2008 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information. | Without a means for identifying the individual that produced the information, the information cannot be relied upon. Identifying the validity of information may be delayed or deterred.
This... |
| V-58655 | Medium | The Windows 2008 DNS Servers IP address must be statically defined and configured locally on the server. | The major threat associated with DNS forged responses or failures are the integrity of the DNS data returned in the response. By requiring remote clients to obtain origin authentication and... |
| V-58739 | Medium | The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA. | There are several types of RRs in the DNS that are meant to convey information to humans and applications about the network, hosts, or services. These RRs include the Responsible Person (RP)... |
| V-58549 | Medium | The Windows 2008 DNS Server log must be enabled. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The... |
| V-58583 | Medium | The Windows 2008 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients. | A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers... |
| V-58581 | Medium | Forwarders on an authoritative Windows 2008 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS). | A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers... |
| V-58633 | Medium | The Windows 2008 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is... |
| V-58713 | Medium | The Windows 2008 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days. | Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data... |
| V-58617 | Medium | The DNS name server software must be at the latest version. | Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take... |
| V-58711 | Medium | The Windows 2008 DNS Server must, when a component failure is detected, activate a notification to the system administrator. | Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue... |
| V-58615 | Medium | The Windows 2008 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain. | All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to... |
| V-58717 | Medium | The Windows 2008 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of Secure Updates has been removed or broken. | Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data... |
| V-58613 | Medium | The Windows 2008 DNS Server must implement internal/external role separation. | DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address... |
| V-58611 | Medium | The Windows 2008 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2008 DNS Server service account and/or the DNS database administrator. | Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in... |
| V-58627 | Medium | When IPv6 protocol is installed, the server must also be configured to answer for IPv6 AAAA records. | To prevent the possibility of a denial of service in relation to an IPv4 DNS server trying to respond to IPv6 requests, the server should be configured not to listen on any of its IPv6 interfaces... |
| V-58709 | Medium | The Windows 2008 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality. | Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system... |
| V-58603 | Medium | For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts. | Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients.
External clients need to receive RRs that pertain only to public... |
| V-58637 | Medium | The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers. | Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update.... |
| V-58623 | Medium | Non-routable IPv6 link-local scope addresses must not be configured in any zone. | IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Similar to RFC1918 addresses, if a link-local scope address is inserted into a zone provided... |
