Zone transfers are not prohibited or a VPN solution is not implemented that requires cryptographic authentication of communicating devices and is used exclusively by name servers authoritative for the zone.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4502	DNS0810	SV-4502r1_rule	DCNR-1	High

Description
If zone transfers are not cryptographically authenticated, then there is the potential for an adversary to masquerade as a legitimate zone partner and update zone records without authorization.

STIG	Date
Windows DNS	2015-01-05

Details

Check Text ( C-3563r1_chk )
The reviewer will validate zone transfers are prohibited. The reviewer will ensure the "Allow zone transfers" check box is not selected on the “Zone Transfers” tab of the name server properties. If zone transfers are allowed, then this is a finding. Windows allows for two ways of synchronizing zone data across name servers: (1) traditional RFC-compliant DNS zone transfers; and (2) AD-replication. The latter only works when Windows DNS is integrated with AD, which makes each of the DNS records an AD object. The Windows 2000/2003 DNS implementation of traditional zone transfers does not meet the STIG requirement that the transfers be cryptographically authenticated using a technology such as TSIG. Fortunately, AD-replication is cryptographically authenticated. Therefore, the solution in a pure Windows 2000/2003 DNS implementation is to integrate DNS with AD and disable zone transfers

Check Text ( C-3563r1_chk )

The reviewer will validate zone transfers are prohibited. The reviewer will ensure the "Allow zone transfers" check box is not selected on the “Zone Transfers” tab of the name server properties.

If zone transfers are allowed, then this is a finding.

Windows allows for two ways of synchronizing zone data across name servers: (1) traditional RFC-compliant DNS zone transfers; and (2) AD-replication. The latter only works when Windows DNS is integrated with AD, which makes each of the DNS records an AD object. The Windows 2000/2003 DNS implementation of traditional zone transfers does not meet the STIG requirement that the transfers be cryptographically authenticated using a technology such as TSIG. Fortunately, AD-replication is cryptographically authenticated. Therefore, the solution in a pure Windows 2000/2003 DNS implementation is to integrate DNS with AD and disable zone transfers

Fix Text (F-4387r1_fix)
Working with relevant DNS administrators, the SA should configure Windows DNS to rely on Active Directory to replicate zone data whenever possible. If this is not feasible, then the SA must establish an IPSEC VPN between relevant zone partners or implement a satisfactory alternative encryption-based authentication technology.