Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-58627 | WDNS-CM-000028 | SV-73057r7_rule | Medium |
Description |
---|
To prevent the possibility of a denial of service in relation to an IPv4 DNS server trying to respond to IPv6 requests, the server should be configured not to listen on any of its IPv6 interfaces unless it does contain IPv6 AAAA resource records in one of the zones. |
STIG | Date |
---|---|
Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide | 2020-06-17 |
Check Text ( C-59499r5_chk ) |
---|
Note: If the Windows 2012 DNS server is hosting IPv6 records, this requirement is not applicable. Log on to the DNS server using the Domain Admin or Enterprise Admin account. From a command prompt, run regedit. In the User Account Control dialog box, click Continue. In Registry Editor, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \ Verify the value for “DisabledComponents” is “255 (0xff)”. If the “DisabledComponents” entry is nonexistent, this is a finding. If the “DisabledComponents” exists but is not set to “255 (0xff)”, and the DNS server is not hosting any AAAA records, this is a finding. |
Fix Text (F-64011r4_fix) |
---|
Log onto the DNS server. Access Group Policy Management. Edit Default Domain Policy, go to Computer Configuration >> Policies >> Administrative Templates >> Network >> IPv6 Configuration, Open IPv6 Configuration Policy and set on “Disable all IPv6 components”. As an alternative to using the GPO setting, the registry setting may also be altered directly to reflect: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \ Set the value for “DisabledComponents” to “255 (0xff)”. |