Forwarders on an authoritative Windows 2000/2003 DNS server are not disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4503 | DNS0815 | SV-4503r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Windows DNS has historically been more vulnerable to cache poisoning attacks than BIND as the algorithm used for answering recursive queries also makes it more prone to self-imposed denial of service attacks and as an amplification device for attacks on other DNS servers. Additionally, Windows DNS does not allow for the fine-grained access control restrictions (i.e., limiting the clients that are able to perform recursion) that are allowed by BIND and other recursive DNS appliances. Therefore, Windows 2000/2003 DNS should not be deployed as a caching name server. Consequently, the use of forwarders and recursion is prohibited on Windows 2000/2003 DNS servers. |
| STIG | Date |
|---|---|
| Windows DNS | 2015-12-28 |
Details
| Check Text ( C-3564r1_chk ) |
|---|
| Windows DNS should not be deployed as a caching name server. Consequently, the use of forwarders and recursion is prohibited on Windows 2000/2003 DNS. The reviewer will validate that the "Enable Forwarders" check box is not selected on the “Forwarders” tab of the name server properties. If forwarders are enabled, then this is a finding. |
| Fix Text (F-4388r1_fix) |
|---|
| The SA should disable forwarding (on the Forwarders tab of the name servers properties dialog box). |