UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Forwarders on an authoritative Windows 2000/2003 DNS server are not disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4503 DNS0815 SV-4503r1_rule ECSC-1 Medium
Description
Windows DNS has historically been more vulnerable to cache poisoning attacks than BIND as the algorithm used for answering recursive queries also makes it more prone to self-imposed denial of service attacks and as an amplification device for attacks on other DNS servers. Additionally, Windows DNS does not allow for the fine-grained access control restrictions (i.e., limiting the clients that are able to perform recursion) that are allowed by BIND and other recursive DNS appliances. Therefore, Windows 2000/2003 DNS should not be deployed as a caching name server. Consequently, the use of forwarders and recursion is prohibited on Windows 2000/2003 DNS servers.
STIG Date
Windows DNS 2015-01-05

Details

Check Text ( C-3564r1_chk )
Windows DNS should not be deployed as a caching name server. Consequently, the use of forwarders and recursion is prohibited on Windows 2000/2003 DNS. The reviewer will validate that the "Enable Forwarders" check box is not selected on the “Forwarders” tab of the name server properties.

If forwarders are enabled, then this is a finding.
Fix Text (F-4388r1_fix)
The SA should disable forwarding (on the Forwarders tab of the name servers properties dialog box).