UCF STIG Viewer Logo

Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide


Overview

Date Finding Count (81)
2022-03-01 CAT I (High): 3 CAT II (Med): 78 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-215583 High The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.
V-215580 High The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
V-215627 High The Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing.
V-215586 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
V-215587 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
V-215584 Medium Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
V-215585 Medium For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
V-215582 Medium All authoritative name servers for a zone must have the same version of zone information.
V-215581 Medium All authoritative name servers for a zone must be located on different network segments.
V-215634 Medium The Windows 2012 DNS Server must protect the integrity of transmitted information.
V-215635 Medium The Windows 2012 DNS Server must maintain the integrity of information during preparation for transmission.
V-215618 Medium The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.
V-215637 Medium The Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
V-215630 Medium The Windows 2012 DNS Server must protect secret/private cryptographic keys while at rest.
V-215610 Medium The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.
V-215588 Medium Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
V-215589 Medium The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.
V-215611 Medium The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.
V-215652 Medium The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.
V-215650 Medium The Windows 2012 DNS Server log must be enabled.
V-215651 Medium The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.
V-215616 Medium The Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone.
V-215617 Medium The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.
V-215632 Medium The Windows 2012 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems.
V-215639 Medium The Windows 2012 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
V-215614 Medium WINS lookups must be disabled on the Windows 2012 DNS Server.
V-215622 Medium The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
V-215615 Medium The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.
V-215609 Medium The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.
V-215578 Medium The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
V-215599 Medium The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.
V-215598 Medium The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.
V-215612 Medium The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries.
V-215608 Medium The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.
V-215626 Medium The Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing.
V-215591 Medium The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
V-215590 Medium The Windows 2012 DNS Server must implement internal/external role separation.
V-228571 Medium The Windows DNS name servers for a zone must be geographically dispersed.
V-215592 Medium The DNS name server software must be at the latest version.
V-215595 Medium Non-routable IPv6 link-local scope addresses must not be configured in any zone.
V-215594 Medium The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
V-215596 Medium AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
V-215605 Medium The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.
V-215648 Medium The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
V-215607 Medium The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.
V-215606 Medium The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.
V-215601 Medium The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
V-215600 Medium The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
V-215629 Medium The Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions.
V-215602 Medium The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
V-215640 Medium The DNS Name Server software must be configured to refuse queries for its version information.
V-215643 Medium The Windows 2012 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
V-215624 Medium The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
V-215623 Medium The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.
V-215644 Medium The Windows 2012 DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
V-215647 Medium The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.
V-215631 Medium The Windows 2012 DNS Server must not contain zone records that have not been validated in over a year.
V-215613 Medium The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
V-215576 Medium The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.
V-215575 Medium The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
V-215574 Medium Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).
V-215573 Medium The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
V-215621 Medium Automatic Update of Trust Anchors must be enabled on key rollover.
V-215620 Medium Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.
V-215593 Medium The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
V-215579 Medium NSEC3 must be used for all internal DNS zones.
V-215625 Medium The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.
V-215577 Medium The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-215604 Medium The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.
V-215645 Medium The Windows 2012 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.
V-215619 Medium The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.
V-215642 Medium The Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator.
V-215633 Medium The Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload.
V-215641 Medium The HINFO, RP, TXT and LOC RR types must not be used in the zone SOA.
V-215661 Medium The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.
V-215628 Medium The Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC.
V-215660 Medium The Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
V-215638 Medium The Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.
V-215603 Medium The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
V-215636 Medium The Windows 2012 DNS Server must maintain the integrity of information during reception.
V-215649 Medium The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.