| Finding ID |
Severity |
Title |
Description |
|
V-259397
|
High |
The Windows DNS Server must protect the integrity of transmitted information. |
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.
Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information... |
|
V-259390
|
High |
The Windows DNS Server must protect the authenticity of dynamic updates via transaction signing. |
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.
The combination of signing DNS zones by... |
|
V-259350
|
High |
The Windows DNS Server must be configured to enable DNSSEC Resource Records (RRs). |
The specification for a digital signature mechanism in the context of the DNS infrastructure is in the Internet Engineering Task Force's (IETF's) DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of... |
|
V-259347
|
High |
The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record. |
Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of... |
|
V-259343
|
High |
The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients. |
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to... |
|
V-259417
|
Medium |
Windows DNS response rate limiting (RRL) must be enabled. |
This setting can prevent someone from sending a denial-of-service attack using the DNS servers. For instance, a bot net can send requests to the DNS server using the IP address of a third computer as the requestor. Without RRL, the DNS servers might respond to all the requests, flooding the... |
|
V-259416
|
Medium |
In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. |
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers.
One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external... |
|
V-259415
|
Medium |
The Windows DNS Server audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited. |
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto media separate from the system being audited on a defined frequency helps to ensure the audit records will be retained in the event of a catastrophic... |
|
V-259414
|
Medium |
The private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates. |
The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy.
This strategy is not... |
|
V-259413
|
Medium |
The DNS Name Server software must run with restricted privileges. |
Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant... |
|
V-259412
|
Medium |
In the event of a system failure, the Windows DNS Server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. |
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.... |
|
V-259411
|
Medium |
The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |
If unauthorized personnel use maintenance tools, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data.
Nonlocal maintenance and diagnostic activities... |
|
V-259410
|
Medium |
A unique Transaction Signature (TSIG) key must be generated for each pair of communicating hosts. |
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key also can be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string generated by most key generation... |
|
V-259409
|
Medium |
The Windows DNS Server must be configured to notify the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator when functionality of DNSSEC/TSIG has been removed or broken. |
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e.,... |
|
V-259408
|
Medium |
The Windows DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered. |
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e.,... |
|
V-259407
|
Medium |
The Windows DNS Server must verify the correct operation of security functions upon system startup and/or restart, upon command by a user with privileged access, and/or every 30 days. |
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e.,... |
|
V-259406
|
Medium |
The Windows DNS Server must verify the correct operation of security functions upon startup and/or restart, upon command by a user with privileged access, and/or every 30 days. |
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e.,... |
|
V-259405
|
Medium |
The Windows DNS Server must, when a component failure is detected, activate a notification to the system administrator. |
Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue operating in an insecure state. The organization must be prepared, and the application must support requirements that specify if the application must alarm for such... |
|
V-259404
|
Medium |
The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA. |
Several types of resource records (RRs) in the DNS are meant to convey information to humans and applications about the network, hosts, or services. These RRs include the Responsible Person (RP) record, the Host Information (HINFO) record, the Location (LOC) record, and the catch-all text string resource record (TXT) (RFC1035).... |
|
V-259403
|
Medium |
The DNS Name Server software must be configured to refuse queries for its version information. |
Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to address those vulnerabilities. The vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with... |
|
V-259402
|
Medium |
The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality. |
Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to... |
|
V-259401
|
Medium |
The Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions. |
DNS zone data for which a Windows DNS Server is authoritative should represent the network for which it is responsible. If a Windows DNS Server hosts zone records for other networks or environments, the records could become invalid or stale or be redundant/conflicting with a DNS server truly authoritative for... |
|
V-259400
|
Medium |
The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality. |
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
The choice of digital signature algorithm will be... |
|
V-259399
|
Medium |
The Windows DNS Server must maintain the integrity of information during reception. |
Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. |
|
V-259398
|
Medium |
The Windows DNS Server must maintain the integrity of information during preparation for transmission. |
Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. |
|
V-259396
|
Medium |
The Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload. |
In the case of application DoS attacks, care must be taken when designing the application to ensure it makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations... |
|
V-259395
|
Medium |
The Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems. |
Applications and application developers must take steps to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic, so users are not able to generate unlimited network traffic via the application. Limiting system resources... |
|
V-259394
|
Medium |
The Windows DNS Server must only contain zone records that have been validated annually. |
If zone information has not been validated in more than a year, there is no assurance that it is still valid. If invalid records are in a zone, an adversary could potentially use their existence for improper purposes. A standard operating procedure detailing this process can resolve this requirement. |
|
V-259393
|
Medium |
The Windows DNS Server must protect secret/private cryptographic keys while at rest. |
Information at rest refers to the state of information when it is located on a secondary storage device within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and nonvolatile memory) can... |
|
V-259392
|
Medium |
The Windows DNS Server must use an approved DOD PKI certificate authority. |
Untrusted certificate authorities (CA) can issue certificates, but the certificates may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been... |
|
V-259391
|
Medium |
The Windows DNS Server must protect the authenticity of query responses via DNSSEC. |
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of integrity verification is to ensure that valid data has originated from the right source. DNSSEC is required for securing... |
|
V-259389
|
Medium |
The Windows DNS Server must protect the authenticity of zone transfers via transaction signing. |
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair, TSIG, or using PKI-based authentication, SIG(0), thus uniquely identifying... |
|
V-259388
|
Medium |
The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers. |
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial... |
|
V-259387
|
Medium |
The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers. |
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial... |
|
V-259386
|
Medium |
The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution. |
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial... |
|
V-259385
|
Medium |
The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution. |
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial... |
|
V-259384
|
Medium |
Automatic Update of Trust Anchors must be enabled on key rollover. |
A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active... |
|
V-259383
|
Medium |
Trust anchors must be exported from authoritative Windows DNS Servers and distributed to validating Windows DNS Servers. |
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of... |
|
V-259382
|
Medium |
The Windows DNS Server must be configured to validate an authentication chain of parent and child domains via response data. |
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of... |
|
V-259381
|
Medium |
The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain. |
The NRPT is used to require DNSSEC validation. The NRPT can be configured in local Group Policy for a single computer or domain Group Policy for some or all computers in the domain. |
|
V-259380
|
Medium |
The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet). |
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between... |
|
V-259379
|
Medium |
The Windows DNS Server must be configured with the Delegation Signer (DS) Resource Records (RR) carrying the signature for the RR that contains the public key of the child zone. |
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of DS records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model.... |
|
V-259378
|
Medium |
The Windows DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers. |
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity... |
|
V-259377
|
Medium |
WINS lookups must be disabled on the Windows DNS Server. |
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity... |
|
V-259376
|
Medium |
The Windows DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers. |
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity... |
|
V-259375
|
Medium |
The Windows DNS Server must return data information in response to internal name/address resolution queries. |
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity... |
|
V-259374
|
Medium |
The Windows DNS Server's IP address must be statically defined and configured locally on the server. |
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity... |
|
V-259373
|
Medium |
The Windows DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries. |
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. The security objective is to verify the integrity of each response received. An integral part of integrity verification is to ensure valid data... |
|
V-259372
|
Medium |
The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed. |
NSEC records list the resource record types for the name, as well as the name of the next resource record. With this information it is revealed that the resource record type for the name queried, or the resource record name requested, does not exist.
NSEC uses the actual resource record... |
|
V-259371
|
Medium |
The Windows DNS Server must implement a local cache of revocation data for PKI authentication. |
Not configuring a local cache of revocation data could allow access to users who are no longer authorized (users with revoked certificates).
SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. In cases where SIG(0) is being used instead of TSIG (which uses a shared... |
|
V-259370
|
Medium |
The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates. |
The private keys in the key signing key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file primary copy.
This... |
|
V-259369
|
Medium |
The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software. |
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most... |
|
V-259368
|
Medium |
The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run. |
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most... |
|
V-259367
|
Medium |
The Windows DNS Server must be configured to enforce authorized access to the corresponding private key. |
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend... |
|
V-259366
|
Medium |
The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0). |
Weakly bound credentials can be modified without invalidating the credential; therefore, nonrepudiation can be violated.
This requirement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations and/or data owners determine and approve the strength of... |
|
V-259365
|
Medium |
The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers. |
Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to be made only to designated secondary name servers. Because zone transfers involve the... |
|
V-259364
|
Medium |
The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers. |
Authenticity of zone transfers within Windows Active Directory (AD)-integrated zones is accomplished by AD replication. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific... |
|
V-259363
|
Medium |
The Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction. |
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair, TSIG, or using PKI-based authentication, SIG(0), thus uniquely... |
|
V-259361
|
Medium |
AAAA addresses must not be configured in a zone for hosts that are not dual stack. |
DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned.
A denial of service could easily be implemented for an application that is not IPv6 if the user is not... |
|
V-259360
|
Medium |
Nonroutable IPv6 link-local scope addresses must not be configured in any zone. |
IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Like RFC1918 addresses, if a link-local scope address is inserted into a zone provided to clients, most routers will not forward this traffic beyond the local subnet. |
|
V-259359
|
Medium |
The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months. |
The use of CNAME records for exercises, tests, or zone-spanning (pointing to zones with lesser security) aliases should be temporary (e.g., to facilitate a migration) and not be in place for more than six months.
When a host name is an alias for a record in another zone, an adversary... |
|
V-259358
|
Medium |
The Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone. |
If a name server could claim authority for a resource record in a domain for which it was not authoritative, this would pose a security risk. In this environment, an adversary could use illicit control of a name server to impact IP address resolution beyond the scope of that name... |
|
V-259357
|
Medium |
The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain. |
All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries.
The security risk is that an adversary could change the root hints and direct the... |
|
V-259356
|
Medium |
The Windows DNS Server must implement internal/external role separation. |
DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks, including the internet).
The set of clients that can... |
|
V-259355
|
Medium |
The Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator. |
Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via... |
|
V-259354
|
Medium |
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. |
Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control substatement designating the list of hosts from which zone transfer requests can be accepted. These restrictions address the denial-of-service threat and potential exploits from unrestricted dissemination of information about internal resources.
Based on the need... |
|
V-259353
|
Medium |
In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. |
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers.
One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external... |
|
V-259352
|
Medium |
For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts. |
Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients.
External clients need to receive RRs that pertain only to public services (public web server, mail server, etc.).
Internal clients need to receive RRs pertaining to public services as well as internal... |
|
V-259351
|
Medium |
The digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible. |
The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices:
- Digital Signature Algorithm (DSA).
- RSA.
- Elliptic Curve DSA (ECDSA).
Of these three algorithms, RSA and DSA are more widely available and hence... |
|
V-259349
|
Medium |
All authoritative name servers for a zone must have the same version of zone information. |
The only protection approach for content control of a DNS zone file is the use of a zone file integrity checker. The effectiveness of integrity checking using a zone file integrity checker depends on the database of constraints built into the checker. The deployment process consists of developing these constraints... |
|
V-259348
|
Medium |
All authoritative name servers for a zone must be located on different network segments. |
Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on different network segments. This dispersion ensures the availability of an authoritative name server not only in situations in which a particular... |
|
V-259346
|
Medium |
NSEC3 must be used for all internal DNS zones. |
NSEC records list the resource record types for the name, as well as the name of the next resource record. This information reveals that the resource record type for the name queried, or the resource record name requested, does not exist.
NSEC uses the actual resource record names, whereas NSEC3... |
|
V-259345
|
Medium |
The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week. |
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An... |
|
V-259344
|
Medium |
The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission. |
Encrypting information for transmission protects it from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes.
Confidentiality is not an objective of DNS, but integrity is. DNSSEC and TSIG/SIG(0) both... |
|
V-259342
|
Medium |
Forwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS). |
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to... |
|
V-259341
|
Medium |
The Windows DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries. |
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to... |
|
V-259340
|
Medium |
The Windows DNS name servers for a zone must be geographically dispersed. |
In addition to network-based separation, authoritative name servers should be dispersed geographically. In other words, in addition to being located on different network segments, the authoritative name servers should not all be located in the same building. One approach is to locate some authoritative name servers in their own premises... |
|
V-259339
|
Medium |
The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) Resource Record (RR) for a zone's delegated children must be no less than two days and no more than one week. |
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An... |
|
V-259338
|
Medium |
The "Manage auditing and security log" user right must be assigned only to authorized personnel. |
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the operating system/network device manager, but the configuration to trigger the auditing is controlled by the... |
|
V-259337
|
Medium |
The Windows DNS Server log must be enabled. |
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the operating system/network device manager, but the configuration to trigger the auditing is controlled by the... |
|
V-259336
|
Medium |
The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity. |
Failing to act on validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, using cryptographic checksums. Validations must be performed automatically.
At a minimum, the application must log the validation error. However, more stringent actions can be... |
|
V-259335
|
Medium |
The Windows DNS Server must be configured to record who added/modified/deleted DNS zone information. |
Without a means for identifying the individual that produced the information, the information cannot be relied on. Identifying the validity of information may be delayed or deterred.
This requirement ensures organizational personnel have a means to identify who produced or changed specific information in transfers, zone information, or DNS configuration... |
|
V-259334
|
Medium |
The Windows DNS Server must restrict incoming dynamic update requests to known clients. |
Limiting the number of concurrent sessions reduces the risk of denial of service (DoS) on any system.
A DNS server's function requires it to be able to handle multiple sessions at a time, so limiting concurrent sessions could impact availability.
Primary name servers must be configured to limit the actual... |
