Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide

The Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R12

Published: 2019-06-28

Updated At: 2019-08-08 19:57:37

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-72667r3_rule WDNS-AC-000001 CCI-000054 MEDIUM The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients. Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) on any system. A DNS server's function requires it to be able to handle multiple sessions at a time so limiting concurrent sessions could potentially cause an impact t
    SV-72973r3_rule WDNS-AU-000001 CCI-000366 MEDIUM The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information. Without a means for identifying the individual that produced the information, the information cannot be relied upon. Identifying the validity of information may be delayed or deterred. This requirement ensures organizational personnel have a means to ide
    SV-72977r4_rule WDNS-AU-000003 CCI-000366 MEDIUM The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator. Failing to act on the validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically.
    SV-72979r3_rule WDNS-AU-000005 CCI-000169 MEDIUM The Windows 2012 DNS Server log must be enabled. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configurati
    SV-72981r5_rule WDNS-AU-000006 CCI-000169 MEDIUM The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions. DNS server performance can be affected when additional logging is enabled, however the enhanced DNS logging and diagnostics feature in Windows Server 2012 R2 is designed to have a very low impact on performance. Enhanced DNS logging and diagnostics in Win
    SV-72983r5_rule WDNS-AU-000007 CCI-000171 MEDIUM The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuratio
    SV-72985r5_rule WDNS-AU-000008 CCI-000172 MEDIUM The Windows 2012 DNS Server must generate audit records for the success and failure of all name server events. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuratio
    SV-72987r5_rule WDNS-SC-000031 CCI-002450 MEDIUM The Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides ass
    SV-72991r3_rule WDNS-AU-000010 CCI-000130 MEDIUM The Windows 2012 DNS Server log must include event types within the log records. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuratio
    SV-72993r3_rule WDNS-AU-000011 CCI-000131 MEDIUM The Windows 2012 DNS Server log must include time stamps within the log records. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuratio
    SV-72995r3_rule WDNS-AU-000012 CCI-000132 MEDIUM The Windows 2012 DNS Server log must include origin of events within the log records. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuratio
    SV-72997r3_rule WDNS-AU-000013 CCI-000133 MEDIUM The Windows 2012 DNS Server log must include the source of events within the log records. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuratio
    SV-72999r3_rule WDNS-AU-000014 CCI-000134 MEDIUM The Windows 2012 DNS Server log must include results of events within the log records. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuratio
    SV-73001r3_rule WDNS-AU-000015 CCI-001487 MEDIUM The Windows 2012 DNS Server log must include identity of individual or process associated with events within the log records. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the OS/NDM, but the configuratio
    SV-73003r3_rule WDNS-AU-000016 CCI-001348 MEDIUM The Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited. Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a defined frequency helps to assure, in the event of a catastroph
    SV-73005r4_rule WDNS-CM-000001 CCI-000366 MEDIUM The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week. The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised ke
    SV-73007r3_rule WDNS-CM-000002 CCI-000366 MEDIUM The Windows DNS name servers for a zone must be geographically dispersed. In addition to network-based separation, authoritative name servers should be dispersed geographically as well. In other words, in addition to being located on different network segments, the authoritative name servers should not all be located within the
    SV-73009r4_rule WDNS-CM-000003 CCI-000366 MEDIUM The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries. A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server h
    SV-73011r4_rule WDNS-CM-000004 CCI-000366 MEDIUM Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS). A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server h
    SV-73013r4_rule WDNS-CM-000005 CCI-000366 MEDIUM The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients. A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server h
    SV-73015r4_rule WDNS-CM-000006 CCI-000366 MEDIUM The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records. A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server h
    SV-73017r6_rule WDNS-CM-000007 CCI-000366 MEDIUM The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common applicat
    SV-73019r5_rule WDNS-CM-000008 CCI-000366 MEDIUM The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week. The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised ke
    SV-73021r4_rule WDNS-CM-000009 CCI-000366 MEDIUM NSEC3 must be used for all internal DNS zones. NSEC records list the resource record types for the name, as well as the name of the next resource record. With this information it is revealed that the resource record type for the name queried, or the resource record name requested, does not exist. NSEC
    SV-73023r4_rule WDNS-CM-000010 CCI-000366 HIGH The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record. Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus res
    SV-73025r3_rule WDNS-CM-000012 CCI-000366 MEDIUM All authoritative name servers for a zone must be located on different network segments. Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on different network segments. This dispersion ensures the availab
    SV-73027r3_rule WDNS-CM-000013 CCI-000366 MEDIUM All authoritative name servers for a zone must have the same version of zone information. The only protection approach for content control of a DNS zone file is the use of a zone file integrity checker. The effectiveness of integrity checking using a zone file integrity checker depends upon the database of constraints built into the checker. T
    SV-73029r5_rule WDNS-CM-000014 CCI-000366 HIGH The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records. The specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF's DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a cha
    SV-73031r4_rule WDNS-CM-000015 CCI-000366 MEDIUM Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible. The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) [FIPS186] provides three algorithm choices: * Digital Signature Algorithm (DSA) * RSA * Elliptic Curve DSA (
    SV-73033r3_rule WDNS-CM-000016 CCI-000366 MEDIUM For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts. Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. External clients need to receive RRs that pertain only to public services (public Web server, mail server, etc.) Internal clien
    SV-73035r3_rule WDNS-CM-000017 CCI-000366 MEDIUM In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be
    SV-73037r3_rule WDNS-CM-000018 CCI-000366 MEDIUM In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be t
    SV-73039r3_rule WDNS-CM-000019 CCI-000366 MEDIUM Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control sub statement designating the list of hosts from which zone transfer requests can be accepted. These restrictions address the denial-of
    SV-73041r4_rule WDNS-CM-000020 CCI-000366 MEDIUM The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator. Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquire
    SV-73043r3_rule WDNS-CM-000021 CCI-000366 MEDIUM The Windows 2012 DNS Server must implement internal/external role separation. DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the
    SV-73045r5_rule WDNS-CM-000022 CCI-000366 MEDIUM The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain. All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could
    SV-73047r3_rule WDNS-CM-000023 CCI-000366 MEDIUM The DNS name server software must be at the latest version. Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. These vulnerabilities have bee
    SV-73049r3_rule WDNS-CM-000024 CCI-000366 MEDIUM The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone. If a name server were able to claim authority for a resource record in a domain for which it was not authoritative, this would pose a security risk. In this environment, an adversary could use illicit control of a name server to impact IP address resoluti
    SV-73051r3_rule WDNS-CM-000025 CCI-000366 MEDIUM The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months. The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is
    SV-73053r3_rule WDNS-CM-000026 CCI-000366 MEDIUM Non-routable IPv6 link-local scope addresses must not be configured in any zone. IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Similar to RFC1918 addresses, if a link-local scope address is inserted into a zone provided to clients, most routers will not forward this traffic beyo
    SV-73055r3_rule WDNS-CM-000027 CCI-000366 MEDIUM AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware. DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. With this in mind, a denial of service could easily be implemented for
    SV-73057r5_rule WDNS-CM-000028 CCI-000366 MEDIUM When IPv6 protocol is installed, the server must also be configured to answer for IPv6 AAAA records. To prevent the possibility of a denial of service in relation to an IPv4 DNS server trying to respond to IPv6 requests, the server should be configured not to listen on any of its IPv6 interfaces unless it does contain IPv6 AAAA resource records in one of
    SV-73059r4_rule WDNS-CM-000029 CCI-000382 MEDIUM The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-73061r4_rule WDNS-IA-000001 CCI-002039 MEDIUM The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt. Without re-authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of
    SV-73063r3_rule WDNS-IA-000002 CCI-000778 MEDIUM The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction. Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authen
    SV-73065r4_rule WDNS-IA-000003 CCI-001958 MEDIUM The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensurin
    SV-73067r3_rule WDNS-IA-000004 CCI-001958 MEDIUM The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers. Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to
    SV-73069r5_rule WDNS-IA-000005 CCI-001958 MEDIUM The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0). Weakly bound credentials can be modified without invalidating the credential; therefore, non-repudiation can be violated. This requirement supports audit requirements that provide organizational personnel with the means to identify who produced specific
    SV-73071r3_rule WDNS-IA-000006 CCI-000186 MEDIUM The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the priva
    SV-73073r3_rule WDNS-IA-000007 CCI-000186 MEDIUM The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run. To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and response
    SV-73075r5_rule WDNS-IA-000008 CCI-000186 MEDIUM The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software. To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and response
    SV-73077r4_rule WDNS-IA-000009 CCI-000186 MEDIUM The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates. The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored off-line (with respect to the Internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessibl
    SV-73079r3_rule WDNS-IA-000011 CCI-001991 MEDIUM The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible. Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI
    SV-73081r4_rule WDNS-SC-000001 CCI-002450 MEDIUM The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed. NSEC records list the resource record types for the name, as well as the name of the next resource record. With this information it is revealed that the resource record type for the name queried, or the resource record name requested, does not exist. NSEC
    SV-73083r5_rule WDNS-SC-000002 CCI-001178 MEDIUM The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries. The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. The security objective is to verify the integrity of each response received. A
    SV-73085r3_rule WDNS-SC-000003 CCI-000366 MEDIUM The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server. The major threat associated with DNS forged responses or failures are the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By
    SV-73087r5_rule WDNS-SC-000004 CCI-000366 MEDIUM The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries. The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By r
    SV-73089r5_rule WDNS-SC-000005 CCI-000366 MEDIUM The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers. The major threat associated with DNS forged responses or failures are the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By
    SV-73091r3_rule WDNS-SC-000006 CCI-002462 MEDIUM WINS lookups must be disabled on the Windows 2012 DNS Server. The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By r
    SV-73093r5_rule WDNS-SC-000007 CCI-002462 MEDIUM The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers. The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By r
    SV-73095r5_rule WDNS-SC-000008 CCI-001179 MEDIUM The Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone. If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status
    SV-73097r4_rule WDNS-SC-000009 CCI-001663 MEDIUM The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet. A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow contro
    SV-73099r4_rule WDNS-SC-000010 CCI-001663 MEDIUM The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain. The Name Resolution Policy Table (NRPT) is used to require DNSSEC validation. The NRPT can be configured in local Group Policy for a single computer or domain Group Policy for some or all computers in the domain.
    SV-73101r6_rule WDNS-SC-000011 CCI-001663 MEDIUM The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data. If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status
    SV-73103r5_rule WDNS-SC-000012 CCI-001663 MEDIUM Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers. If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status
    SV-73105r4_rule WDNS-SC-000013 CCI-001663 MEDIUM Automatic Update of Trust Anchors must be enabled on key rollover. A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors in order to perform validation. If the DNS server is running on a domain controller, trust anchors are
    SV-73107r4_rule WDNS-SC-000014 CCI-002465 MEDIUM The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution. If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records
    SV-73109r5_rule WDNS-SC-000015 CCI-002466 MEDIUM The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution. If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records
    SV-73111r5_rule WDNS-SC-000017 CCI-002467 MEDIUM The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers. If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records
    SV-73113r5_rule WDNS-SC-000018 CCI-002468 MEDIUM The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers. If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records
    SV-73115r3_rule WDNS-SC-000019 CCI-001184 MEDIUM The Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing. Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions and is provided by TSIG/SIG(0), which enforces mutual server authenticat
    SV-73117r6_rule WDNS-SC-000020 CCI-001184 HIGH The Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing. DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity o
    SV-73119r5_rule WDNS-SC-000021 CCI-001184 MEDIUM The Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC. The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of integrity verification is to ensure that valid data has or
    SV-73121r3_rule WDNS-SC-000022 CCI-002470 MEDIUM The Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate
    SV-73123r4_rule WDNS-SC-000024 CCI-001199 MEDIUM The Windows 2012 DNS Server must protect secret/private cryptographic keys while at rest. Information at rest refers to the state of information when it is located on a secondary storage device within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of t
    SV-73125r3_rule WDNS-SC-000025 CCI-002475 MEDIUM The Windows 2012 DNS Server must not contain zone records that have not been validated in over a year. If zone information has not been validated in over a year, then there is no assurance that it is still valid. If invalid records are in a zone, then an adversary could potentially use their existence for improper purposes. An SOP detailing this process c
    SV-73127r3_rule WDNS-SC-000026 CCI-001094 MEDIUM The Windows 2012 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems. Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffi
    SV-73129r3_rule WDNS-SC-000027 CCI-001095 MEDIUM The Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload. In the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for opt
    SV-73131r5_rule WDNS-SC-000028 CCI-002418 MEDIUM The Windows 2012 DNS Server must protect the integrity of transmitted information. Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled bounda
    SV-73133r5_rule WDNS-SC-000029 CCI-002421 MEDIUM The Windows 2012 DNS Server must maintain the integrity of information during preparation for transmission. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-73135r5_rule WDNS-SC-000030 CCI-002420 MEDIUM The Windows 2012 DNS Server must maintain the integrity of information during reception. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures
    SV-73137r3_rule WDNS-SI-000001 CCI-001310 MEDIUM The Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions. DNS zone data for which a Windows 2012 DNS server is authoritative should represent the network for which it is responsible. If a Windows 2012 DNS server hosts zone records for other networks or environments, there is the possibility for the records to be
    SV-73139r3_rule WDNS-SI-000002 CCI-002754 MEDIUM The Windows 2012 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality. Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system components or between system components and operational facil
    SV-73141r3_rule WDNS-SI-000005 CCI-000366 MEDIUM The Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator. Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue operating in an insecure state. The organization must be prepar
    SV-73143r3_rule WDNS-SI-000006 CCI-000366 MEDIUM The Windows 2012 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality i
    SV-73145r3_rule WDNS-SI-000007 CCI-002699 MEDIUM The Windows 2012 DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality i
    SV-73147r4_rule WDNS-SI-000008 CCI-001294 MEDIUM The Windows 2012 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of DNSSEC/TSIG has been removed or broken. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality i
    SV-73149r3_rule WDNS-SI-000009 CCI-002702 MEDIUM The Windows 2012 DNS Server must generate audit records for the success and failure of start and stop of the DNS Server service. Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being performed on the system, where an event occurred, when an event occurred, and by whom the event was triggered, in order to c
    SV-73167r3_rule WDNS-SI-000003 CCI-001312 MEDIUM The DNS Name Server software must be configured to refuse queries for its version information. Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. Of course, these vulnerabiliti
    SV-73169r4_rule WDNS-SI-000004 CCI-001312 MEDIUM The HINFO, RP, TXT and LOC RR types must not be used in the zone SOA. There are several types of RRs in the DNS that are meant to convey information to humans and applications about the network, hosts, or services. These RRs include the Responsible Person (RP) record, the Host Information (HINFO) record, the Location (LOC)