UCF STIG Viewer Logo

Windows DNS



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-4501 High The DHCP server service is not disabled on any Windows 2000/2003 DNS server that supports dynamic updates.
V-4502 High Zone transfers are not prohibited or a VPN solution is not implemented that requires cryptographic authentication of communicating devices and is used exclusively by name servers authoritative for the zone.
V-4505 High WINS lookups is not prohibited on a Windows 2000 DNS server.
V-4488 High The DNS software does not log, at a minimum, success and failure of starting and stopping of the name server service daemon, zone transfers, zone update notifications, and dynamic updates.
V-4481 High Dynamic updates are not cryptographically authenticated.
V-4482 High The DNS software administrator will configure each master/slave server supporting a zone to cryptographically authenticate zone transfers.
V-4470 High The DNS database administrator has not ensured each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
V-4491 High Valid root name servers do not appear in the local root zone file. G and H root servers, at a minimum, do not appear in the local root zone files.
V-4503 Medium Forwarders on an authoritative Windows 2000/2003 DNS server are not disabled.
V-4489 Medium The DNS software administrator has not configured the DNS software to send all log data to either the system logging facility (e.g., UNIX syslog or Windows Application Event Log) or an alternative logging facility with security configuration equivalent to or more restrictive than the system logging facility.
V-4483 Medium A zone master server does not limit zone transfers to a list of active slave name servers authoritative for that zone.
V-4485 Medium A name server is not configured to only accept notifications of zone changes from a host authoritative for that zone.
V-4487 Medium A caching name server does not restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.
V-4486 Medium Recursion is not prohibited on an authoritative name server.
V-3625 Medium Shares other than the default administrative shares are enabled on a name server.
V-4478 Medium The name server’s IP address is NOT statically defined and configured locally on the server. The name server has a DHCP address.
V-4479 Medium An integrity checking tool is not installed or not monitoring for modifications to the root.hints and named.conf files.
V-14768 Medium The IPv6 protocol is installed and the server is only configured to respond to IPv4 A records.
V-4473 Medium DNS software does not run on dedicated (running only those services required for DNS) hardware. The only currently accepted exception of this requirement is Windows 2000/2003 DNS, which must run on a domain controller that is integrated with Active Directory services.
V-4475 Medium Permissions on files containing DNS encryption keys are inadequate.
V-4476 Medium Users and/or processes other than the DNS software Process ID (PID) and/or the DNS database administrator have edit/write access to the zone database files.
V-4477 Medium Users or processes other than the DNS software administrator and the DNS software PID have read access to the DNS software configuration files and/or users other than the DNS software administrator have write access to these files.
V-12479 Medium Computer accounts for DHCP servers are members of the DNSUpdateProxy group.
V-14757 Low AAAA addresses are configured on a host that is not IPv6 aware.
V-14756 Low The DNS administrator will ensure non-routeable IPv6 link-local scope addresses are not configured in any zone. Such addresses begin with the prefixes of “FE8”, “FE9”, “FEA”, or “FEB”.
V-4492 Low The DNS software administrator has not removed the root hints file on an authoritative name server in order for it to resolve only those records for which it is authoritative, and ensure that all other queries are refused.
V-4490 Low Entries in the name server logs do not contain timestamps and severity information.
V-4467 Low Record owners will validate their zones no less than annually. The DNS database administrator will remove all zone records that have not been validated in over a year.
V-4469 Low Zone-spanning CNAME records, that point to a zone with lesser security, are active for more than six months.
V-4468 Low Resource records for a host in a zone file are included and their fully qualified domain name resides in another zone. The exception is a glue record or CNAME record supporting a system migration.