Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14768 | DNS4630 | SV-15525r1_rule | ECSC-1 | Medium |
Description |
---|
To prevent the possibility of a denial of service in relation to an IPv4 DNS server trying to respond to IPv6 requests, the server should be configured not to listen on any of its IPv6 interfaces unless it does contain IPv6 AAAA resource records in one of the zones. |
STIG | Date |
---|---|
Windows DNS | 2014-04-04 |
Check Text ( C-12991r1_chk ) |
---|
Windows •Instruction: Click Start, click All Programs, click Administrative Tools, and select DNS. Expand the Forward Lookup Zones folder. Expand each zone and check for IPv6 records. If all records are IPv4, then confirm IPv6 is not enabled on any of the lan interfaces with the following: -Click Start, click Control Panel, and the double-click Network Connections. -Right-click any local area connection, and then click Properties. -The display will contain, Microsoft TCP/IP version 6 with a check next to the item if IPv6 is installed. |
Fix Text (F-14244r1_fix) |
---|
The DNS administrator will uninstall IPv6 from any lan interface that is not hosting IPv6 AAAA records within its zones. The following steps should be followed to uninstall IPv6 on an interface: -Click Start, click Control Panel, and the double-click Network Connections. -Right-click any local area connection, and then click Properties. -The display will contain, Microsoft TCP/IP version 6 with a check next to the item if IPv6 is installed. -Select Microsoft TCP/IP version 6 and then click Uninstall. -Select Yes to confirm the removal. -Select Yes restart the computer for the new settings to take effect. |