Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide

  • Version/Release: V2R1
  • Published: 2024-06-14
  • Released: 2024-07-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Windows DNS Server must restrict incoming dynamic update requests to known clients.
AC-10 - Medium - CCI-000054 - V-259334 - SV-259334r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
WDNS-22-000001
Vuln IDs
  • V-259334
Rule IDs
  • SV-259334r960735_rule
Limiting the number of concurrent sessions reduces the risk of denial of service (DoS) on any system. A DNS server's function requires it to be able to handle multiple sessions at a time, so limiting concurrent sessions could impact availability. Primary name servers must be configured to limit the actual hosts from which they will accept dynamic updates and zone transfer requests, and all name servers should be configured to limit the hosts from/to which they receive/send zone transfers. Restricting sessions to known hosts will mitigate the DoS vulnerability.
Checks: C-63073r939705_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Once selected, right-click the name of the zone. From the displayed context menu, click the "Properties" option. On the opened domain's properties box, click the "General" tab. Verify the "Type:" is "Active Directory-Integrated". Verify "Dynamic updates" has "Secure only" selected. If the zone is "Active Directory-Integrated" and "Dynamic updates" are not configured for "Secure only", this is a finding.

Fix: F-62981r939706_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Once selected, right-click the name of the zone. From the displayed context menu, click the "Properties" option. On the opened domain's properties box, click the "General" tab. If the "Type:" is not "Active Directory-Integrated", configure the zone for Active Directory integration. Select "Secure only" from the "Dynamic updates:" drop-down list.

b
The Windows DNS Server must be configured to record who added/modified/deleted DNS zone information.
CM-6 - Medium - CCI-000366 - V-259335 - SV-259335r987677_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000002
Vuln IDs
  • V-259335
Rule IDs
  • SV-259335r987677_rule
Without a means for identifying the individual that produced the information, the information cannot be relied on. Identifying the validity of information may be delayed or deterred. This requirement ensures organizational personnel have a means to identify who produced or changed specific information in transfers, zone information, or DNS configuration changes.
Checks: C-63074r939708_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Click the "Event Logging" tab. By default, all events are logged. Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

Fix: F-62982r939709_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. If not automatically started, initialize the "Server Manager" window by clicking its icon from the bottom left corner of the screen. On the opened "Server Manager" window, from the left pane, click to select "DNS". From the right pane, under the "SERVERS" section, right-click the DNS server. From the displayed context menu, click the "DNS Manager" option. Click the "Event Logging" tab. Select the "Errors and warnings" or "All events" option. Click "Apply". Click "OK".

b
The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity.
CM-6 - Medium - CCI-000366 - V-259336 - SV-259336r987679_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000003
Vuln IDs
  • V-259336
Rule IDs
  • SV-259336r987679_rule
Failing to act on validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, using cryptographic checksums. Validations must be performed automatically. At a minimum, the application must log the validation error. However, more stringent actions can be taken based on the security posture and value of the information. The organization should consider the system's environment and impact of the errors when defining the actions. Additional examples of actions include automated notification to administrators, halting system process, or halting the specific operation. The DNS server should audit all failed attempts at server authentication through DNSSEC and TSIG/SIG(0). The actual auditing is performed by the operating system/network device manager, but the configuration to trigger the auditing is controlled by the DNS server.
Checks: C-63075r945233_chk

Windows DNS Servers hosting Active Directory (AD)-integrated zones transfer zone information via AD replication. Windows DNS Servers hosting non-AD-integrated zones as a secondary name server and/or not hosting AD-integrated zones use zone transfer to sync zone data. If the Windows DNS Server hosts only AD-integrated zones and all other name servers for the zones hosted are Active Directory Domain Controllers, this requirement is not applicable. If the Windows DNS Server is not an Active Directory Domain Controller or is a secondary name server for a zone with a non-AD-integrated name server as the master, this requirement is applicable. Administrator notification is only possible if a third-party event monitoring system is configured or, at a minimum, there are documented procedures requiring the administrator to review the DNS logs on a routine, daily basis. If a third-party event monitoring system is not configured or a document procedure is not in place requiring the administrator to review the DNS logs on a routine, daily basis, this is a finding.

Fix: F-62983r939712_fix

To detect and notify the administrator, configure a third-party event monitoring system or, at a minimum, document and implement a procedure to require the administrator to check the DNS logs on a routine, daily basis.

b
The Windows DNS Server log must be enabled.
AU-12 - Medium - CCI-000169 - V-259337 - SV-259337r960879_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
WDNS-22-000004
Vuln IDs
  • V-259337
Rule IDs
  • SV-259337r960879_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the operating system/network device manager, but the configuration to trigger the auditing is controlled by the DNS server.
Checks: C-63076r939714_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Click the "Event Logging" tab. By default, all events are logged. Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

Fix: F-62984r939715_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Click the "Event Logging" tab. By default, all events are logged. Select the "Errors and warnings" or "All events" option. Click "Apply". Click "OK".

b
The "Manage auditing and security log" user right must be assigned only to authorized personnel.
CM-6 - Medium - CCI-000366 - V-259338 - SV-259338r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000006
Vuln IDs
  • V-259338
Rule IDs
  • SV-259338r961863_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual auditing is performed by the operating system/network device manager, but the configuration to trigger the auditing is controlled by the DNS server. Because the configuration of the audit logs on the DNS server dictates which events are logged to correlate events, the permissions for configuring the audit logs must be restricted to only those with the role of information system security manager (ISSM) or those appointed by the ISSM.
Checks: C-63077r939717_chk

Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: Administrators Auditors (if the site has an Auditors group that further limits this privilege) If an application requires this user right, this is not a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords. Verify the permissions on the DNS logs. Standard user accounts or groups must not have greater than READ access. The default locations are: DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx Using the file explorer tool, navigate to the DNS server log file. Right-click on the log file and select the "Security" tab. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control If the permissions for these files are not as restrictive as the access control lists above, this is a finding.

Fix: F-62985r939718_fix

Configure the permissions on the DNS logs. Standard user accounts or groups must not have greater than READ access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default locations are: DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx

b
The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) Resource Record (RR) for a zone's delegated children must be no less than two days and no more than one week.
SC-20 - Medium - CCI-001179 - V-259339 - SV-259339r961104_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001179
Version
WDNS-22-000007
Vuln IDs
  • V-259339
Rule IDs
  • SV-259339r961104_rule
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a zone signing key (ZSK) can use that key only during the key signing key's (KSK's) signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing. To prevent the impact of a compromised KSK, a delegating parent should set the signature validity period for RRSIGs covering DS RRs in the range of a few days to one week. This re-signing does not require frequent rollover of the parent's ZSK, but scheduled ZSK rollover should still be performed at regular intervals.
Checks: C-63078r945237_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. View the validity period for the DS RR. If the validity period for the DS RR for the child domain is less than two days (48 hours) or more than one week (168 hours), this is a finding.

Fix: F-62986r939721_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click on the zone and choose DNSSEC >> Properties. On the ZSK tab, for DS signature validity period (hours), choose more than 48 and less than 168.

b
The Windows DNS name servers for a zone must be geographically dispersed.
CM-6 - Medium - CCI-000366 - V-259340 - SV-259340r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000008
Vuln IDs
  • V-259340
Rule IDs
  • SV-259340r961863_rule
In addition to network-based separation, authoritative name servers should be dispersed geographically. In other words, in addition to being located on different network segments, the authoritative name servers should not all be located in the same building. One approach is to locate some authoritative name servers in their own premises and others in their internet service provider's data centers or in partnering organizations. A network administrator may choose to use a "hidden" primary authoritative server and have only secondary servers visible on the network. A hidden primary authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. If the primary authoritative name server is hidden, a secondary authoritative name server may reside in the same building as the hidden primary.
Checks: C-63079r939723_chk

Windows DNS Servers that are Active Directory (AD) integrated must be located where required to meet the AD services. If all the Windows DNS Servers are AD integrated, this check is not applicable. If any or all the Windows DNS Servers are standalone and non-AD integrated, verify their geographic location with the system administrator. If any or all of the authoritative name servers are located in the same building as the primary authoritative name server and the primary authoritative name server is not "hidden", this is a finding.

Fix: F-62987r939724_fix

For non-AD integrated Windows DNS Servers, distribute secondary authoritative servers to be in different buildings from the primary authoritative server.

b
The Windows DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
CM-6 - Medium - CCI-000366 - V-259341 - SV-259341r961470_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000009
Vuln IDs
  • V-259341
Rule IDs
  • SV-259341r961470_rule
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service) or hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation.
Checks: C-63080r939726_chk

Note: In Windows DNS Server, if forwarders are configured, the recursion setting must also be enabled because disabling recursion will disable forwarders. If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled. The root hints configuration requirement is addressed in WDNS-22-000012. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". Click the "Forwarders" tab. If forwarders are enabled and configured, this check is not applicable. If forwarders are not enabled, click the "Advanced" tab and verify the "Disable recursion (also disables forwarders)" check box is selected. If forwarders are not enabled and configure, and the "Disable recursion (also disables forwarders)" check box in the "Advanced" tab is not selected, this is a finding.

Fix: F-62988r939727_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". Click the "Forwarders" tab. If forwarders are not being used, click the "Advanced" tab. Select the "Disable recursion (also disables forwarders)" check box.

b
Forwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS).
CM-6 - Medium - CCI-000366 - V-259342 - SV-259342r961470_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000010
Vuln IDs
  • V-259342
Rule IDs
  • SV-259342r961470_rule
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service) or hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation.
Checks: C-63081r939729_chk

Note: If the Windows DNS Server is in the classified network, this check is not applicable. If forwarders are not being used, this is not applicable. Note: In Windows DNS Server, if forwarders are configured, the recursion setting must also be enabled because disabling recursion will disable forwarders. If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". Click the "Forwarders" tab. Review the IP address(es) for the forwarder(s) use. If the DNS server does not forward to another DOD-managed DNS server or to the DOD ERS, this is a finding. If "Use root hints if no forwarders are available" is selected, this is a finding.

Fix: F-62989r939730_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". Click the "Forwarders" tab. Replace the forwarders being used with another DOD-managed DNS server or the DOD ERS. Deselect "Use root hints if no forwarders are available".

c
The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
CM-6 - High - CCI-000366 - V-259343 - SV-259343r961470_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
WDNS-22-000011
Vuln IDs
  • V-259343
Rule IDs
  • SV-259343r961470_rule
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service) or hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers specifically fulfilling the role of providing recursive query responses for external zones must be segregated from name servers authoritative for internal zones.
Checks: C-63082r945242_chk

Note: Sinkhole name servers host records that are manually added and for which the name server is not authoritative. It is configured and intended to block resolvers from reaching a destination by directing the query to a sinkhole. If the sinkhole name server is not authoritative for any zones and serves only as a caching/forwarding name server, this check is not applicable. The non-Active Directory (AD)-integrated, standalone, caching Windows DNS Server must be configured to be DNSSEC aware. When performing caching and lookups, the caching name server must be able to obtain a zone signing key (ZSK) DNSKEY record and corresponding RRSIG record for the queried record. It will use this information to compute the hash for the hostname being resolved. The caching name server decrypts the RRSIG record for the hostname being resolved with the zone's ZSK to get the RRSIG record hash. The caching name server compares the hashes and ensures they match. If the non-AD-integrated, standalone, caching Windows DNS Server is not configured to be DNSSEC aware, this is a finding.

Fix: F-62990r945243_fix

Implement DNSSEC on all non-AD-integrated, standalone, caching Windows DNS Servers to ensure the caching server validates signed zones when resolving and caching.

b
The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission.
SC-8 - Medium - CCI-002421 - V-259344 - SV-259344r961635_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002421
Version
WDNS-22-000013
Vuln IDs
  • V-259344
Rule IDs
  • SV-259344r961635_rule
Encrypting information for transmission protects it from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. Confidentiality is not an objective of DNS, but integrity is. DNSSEC and TSIG/SIG(0) both digitally sign DNS information to authenticate its source and ensure its integrity.
Checks: C-63083r945245_chk

Note: If the Windows DNS Server hosts only Active Directory (AD)-integrated zones and does not host any file-based zones, this is not applicable. Note: This requirement does not apply for classified environments. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2022 10:22:28 AM Signed: 10/22/2022 10:22:28 AM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-62991r939736_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
CM-6 - Medium - CCI-000366 - V-259345 - SV-259345r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000014
Vuln IDs
  • V-259345
Rule IDs
  • SV-259345r961863_rule
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a zone signing key (ZSK) can use that key only during the key signing key's (KSK's) signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the Delegation Signer (DS) Resource Record (RR) in the delegating parent. These validity periods should be short, which will require frequent re-signing. To minimize the impact of a compromised ZSK, a zone administrator should set a signature validity period of one week for RRSIGs covering the DNSKEY RRSet in the zone (the RRSet that contains the ZSK and KSK for the zone). The DNSKEY RRSet can be re-signed without performing a ZSK rollover, but scheduled ZSK rollovers should still be performed at regular intervals.
Checks: C-63084r945247_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or Windows DNS Servers on a classified network. Log on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Properties. Select the "KSK" tab. Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. Select the "ZSK" tab. Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. If either the "KSK" or "ZSK" tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding.

Fix: F-62992r939739_fix

Log on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Properties. Select the "KSK" tab. For the "DNSKEY RRSET signature validity period (hours):" setting, configure to a value between 48 and 168 hours. Select the "ZSK" tab. For the "DNSKEY signature validity period (hours):" setting, configure to a value between 48 and 168 hours.

b
NSEC3 must be used for all internal DNS zones.
CM-6 - Medium - CCI-000366 - V-259346 - SV-259346r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000015
Vuln IDs
  • V-259346
Rule IDs
  • SV-259346r961863_rule
NSEC records list the resource record types for the name, as well as the name of the next resource record. This information reveals that the resource record type for the name queried, or the resource record name requested, does not exist. NSEC uses the actual resource record names, whereas NSEC3 uses a one-way hash of the name. In this way, walking zone data from one record to the next is prevented at the expense of some CPU cycles on the authoritative server and the resolver. To prevent giving access to an entire zone file, NSEC3 should be configured. To use NSEC3, RSA/SHA-1 should be used as the algorithm, as some resolvers that understand RSA/SHA-1 might not understand NSEC3. Using RSA/SHA-256 is a safe alternative.
Checks: C-63085r945249_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. Type the following command, where example.com is replaced with the zone hosted on the DNS Server: PS C:\> Get-DnsServerResourceRecord -ZoneName example.com <enter> All of the zone's resource records will be returned. This should include the NSEC3 RRs, as depicted below. If NSEC3 RRs are not returned for the zone, this is a finding. 2vf77rkf63hrgismnuvnb8... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C] 7ceje475rse25gppr3vphs... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C]

Fix: F-62993r939742_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Sign the Zone. Re-sign the zone using an NSEC3 algorithm (RSA/SHA-1 (NSEC3), RSA/SHA-256, RSA/SHA-512).

c
The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
CM-6 - High - CCI-000366 - V-259347 - SV-259347r961863_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
WDNS-22-000016
Vuln IDs
  • V-259347
Rule IDs
  • SV-259347r961863_rule
Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of the adversary's name server from a valid authoritative name server, one that need not be compromised for this attack to be successful. The list of secondary servers must remain current within 72 hours of any changes to the zone architecture that would affect the list of secondaries. If a secondary server has been retired or is not operational but remains on the list, an adversary might have a greater opportunity to impersonate that secondary without detection, rather than if the secondary was online. For example, the adversary may be able to spoof the retired secondary's IP address without an IP address conflict, which would not be likely to occur if the true secondary were active.
Checks: C-63086r939744_chk

Note: This check is not applicable if Windows DNS Server is only serving as a caching server and does not host any zones authoritatively. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the NS records for the zone. Verify each of the name servers, represented by the NS records, is active. At a command prompt on any system, type: nslookup <enter>; At the nslookup prompt, type: server ###.###.###.### <enter>; (where the ###.###.###.### is replaced by the IP of each NS record) Enter a FQDN for a known host record in the zone. If the NS server does not respond at all or responds with a nonauthoritative answer, this is a finding.

Fix: F-62994r939745_fix

If DNS servers are Active Directory (AD) integrated, troubleshoot and remedy the replication problem where the nonresponsive name server is not being updated. If DNS servers are not AD integrated, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the NS records for the zone. Select the NS record for the nonresponsive name server and remove the record.

b
All authoritative name servers for a zone must be located on different network segments.
CM-6 - Medium - CCI-000366 - V-259348 - SV-259348r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000017
Vuln IDs
  • V-259348
Rule IDs
  • SV-259348r961863_rule
Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on different network segments. This dispersion ensures the availability of an authoritative name server not only in situations in which a particular router or switch fails but also during events involving an attack on an entire network segment. A network administrator may choose to use a "hidden" primary authoritative server and have only secondary servers visible on the network. A hidden primary authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. If the primary authoritative name server is hidden, a secondary authoritative name server may reside on the same network as the hidden primary.
Checks: C-63087r939747_chk

Windows DNS Servers that are Active Directory (AD) integrated must be located where required to meet the Active Directory services. If all of the Windows DNS Servers are AD integrated, this check is not applicable. If any or all the Windows DNS Servers are standalone and non-AD integrated, verify their geographic location with the system administrator. If all of the authoritative name servers are located on the same network segment and the primary authoritative name server is not "hidden", this is a finding.

Fix: F-62995r939748_fix

For non-AD-integrated Windows DNS Servers, distribute secondary authoritative servers on separate network segments from the primary authoritative server.

b
All authoritative name servers for a zone must have the same version of zone information.
CM-6 - Medium - CCI-000366 - V-259349 - SV-259349r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000018
Vuln IDs
  • V-259349
Rule IDs
  • SV-259349r961863_rule
The only protection approach for content control of a DNS zone file is the use of a zone file integrity checker. The effectiveness of integrity checking using a zone file integrity checker depends on the database of constraints built into the checker. The deployment process consists of developing these constraints with the right logic, and the only determinant of the truth value of these logical predicates is the parameter values for certain key fields in the format of various RRTypes. The serial number in the SOA RDATA is used to indicate to secondary name servers that a change to the zone has occurred and a zone transfer should be performed. It should always be increased whenever a change is made to the zone data. DNS NOTIFY must be enabled on the primary authoritative name server.
Checks: C-63088r939750_chk

Note: Due to the manner in which Active Directory replication increments SOA records for zones when transferring zone information via Active Directory (AD) replication, this check is not applicable for AD-integrated zones. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the SOA information for the zone and obtain the Serial Number. Access each secondary name server for the same zone and review the SOA information. Verify the Serial Number is the same on all authoritative name servers. If the Serial Number is not the same on one or more authoritative name servers, this is a finding.

Fix: F-62996r939751_fix

If all DNS servers are AD integrated, determine why the replication is not taking place to the out-of-sync secondary name servers and mitigate the issue. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Initiate a zone transfer to all secondary name servers for the zone.

c
The Windows DNS Server must be configured to enable DNSSEC Resource Records (RRs).
CM-6 - High - CCI-000366 - V-259350 - SV-259350r961863_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
WDNS-22-000019
Vuln IDs
  • V-259350
Rule IDs
  • SV-259350r961863_rule
The specification for a digital signature mechanism in the context of the DNS infrastructure is in the Internet Engineering Task Force's (IETF's) DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. DNSSEC mechanisms involve two main processes: sign and serve and verify signature. Before a DNSSEC-signed zone can be deployed, a name server must be configured to enable DNSSEC processing.
Checks: C-63089r945254_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select each zone. Review the RRs for each zone and verify all of the DNSSEC record types are included for the zone. Note: The DS (Delegation Signer) record should also exist but the requirement for it is validated under WDNS-22-000054. RRSIG (Resource Read Signature) DNSKEY (Public Key) NSEC3 (Next Secure 3) If the zone does not show all the DNSSEC record types, this is a finding.

Fix: F-62997r939754_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone", using either approved saved parameters or approved custom parameters.

b
The digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
CM-6 - Medium - CCI-000366 - V-259351 - SV-259351r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000020
Vuln IDs
  • V-259351
Rule IDs
  • SV-259351r961863_rule
The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: - Digital Signature Algorithm (DSA). - RSA. - Elliptic Curve DSA (ECDSA). Of these three algorithms, RSA and DSA are more widely available and hence are considered candidates of choice for DNSSEC. Both RSA and DSA have comparable signature generation speeds, but DSA is much slower for signature verification. RSA is the recommended algorithm for this guideline. RSA with SHA-1 is currently the only cryptographic algorithm mandated to be implemented with DNSSEC, although other algorithm suites (i.e., RSA/SHA-256, ECDSA) are also specified. It can be expected that name servers and clients will be able to use the RSA algorithm at a minimum. It is suggested that at least one zone signing key (ZSK) for a zone use the RSA algorithm. NIST's Secure Hash Standard (SHS) (FIPS 180-3) specifies SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 as approved hash algorithms to be used as part of the algorithm suite for generating digital signatures using the digital signature algorithms in NIST's DSS (FIPS186). It is expected that there will be support for Elliptic Curve Cryptography in the DNSSEC. The migration path for USG DNSSEC operation will be to ECDSA (or similar) from RSA/SHA-1 and RSA/SHA-256 before 30 September 2015.
Checks: C-63090r945256_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the zone's RRs in the right windowpane. Review the DNSKEY encryption in the Data column. Example: [DNSKEY][RsaSha1][31021] Confirm the encryption algorithm specified in the DNSKEY's data is at RsaSha1, at a minimum. If the specified encryption algorithm is not RsaSha1 or stronger, this is a finding.

Fix: F-62998r939757_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.
CM-6 - Medium - CCI-000366 - V-259352 - SV-259352r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000021
Vuln IDs
  • V-259352
Rule IDs
  • SV-259352r961863_rule
Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. External clients need to receive RRs that pertain only to public services (public web server, mail server, etc.). Internal clients need to receive RRs pertaining to public services as well as internal hosts. The zone information that serves the RRs on both the inside and the outside of a firewall should be split into different physical files for these two types of clients (one file for external clients and one file for internal clients).
Checks: C-63091r939759_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. For each zone, review the records. If any RRs on an internal DNS server resolve to IP addresses located outside the internal DNS server's network, this is a finding. If any RRs on an external DNS server resolve to IP addresses located inside the network, this is a finding.

Fix: F-62999r939760_fix

Remove any RRs from the internal zones for which the resolution is for an external IP address. Remove any RRs from the external zones for which the resolution is for an internal IP address.

b
In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
CM-6 - Medium - CCI-000366 - V-259353 - SV-259353r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000022
Vuln IDs
  • V-259353
Rule IDs
  • SV-259353r961863_rule
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve resource records (RRs) pertaining to hosts with public services (web servers that serve external web pages or provide business-to-consumer services, mail servers, etc.). The other set, called internal name servers, is to be located within the firewall and should be configured so the servers are not reachable from outside and hence provide naming services exclusively to internal clients.
Checks: C-63092r939762_chk

Consult with the system administrator to review the external Windows DNS Server's DOD approved firewall policy. The inbound TCP and UDP ports 53 rule should be configured to only restrict IP addresses from the internal network. If the DOD-approved firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall. If neither the DNS server's DOD approved firewall policy nor the network firewall is configured to block internal hosts from querying the external DNS server, this is a finding.

Fix: F-63000r939763_fix

Configure the external DNS server's firewall policy, or the network firewall, to block queries from internal hosts.

b
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
CM-6 - Medium - CCI-000366 - V-259354 - SV-259354r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000024
Vuln IDs
  • V-259354
Rule IDs
  • SV-259354r961863_rule
Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control substatement designating the list of hosts from which zone transfer requests can be accepted. These restrictions address the denial-of-service threat and potential exploits from unrestricted dissemination of information about internal resources. Based on the need to know, the only name servers that need to refresh their zone files periodically are the secondary name servers. Zone transfer from primary name servers should be restricted to secondary name servers. The zone transfer should be completely disabled in the secondary name servers. The address match list argument for the allow-transfer substatement should consist of IP addresses of secondary name servers and stealth secondary name servers.
Checks: C-63093r939765_chk

Determine if the authoritative primary name server is Active Directory (AD) integrated. Determine if all secondary name servers for every zone for which the primary name server is authoritative are AD-integrated in the same Active Directory. If the authoritative primary name server is AD integrated and all secondary name servers are part of the same AD, this check is not a finding because AD handles the replication of DNS data. If one or more of the secondary name servers are non-AD integrated, verify the primary name server is configured to only send zone transfers to a specific list of secondary name servers. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select "Properties". Select the "Zone Transfers" tab. If the "Allow zone transfers:" check box is not selected, this is not a finding. If the "Allow zone transfers:" check box is selected, verify either "Only to servers listed on the Name Server tab" or "Only to the following servers" is selected. If the "To any server" option is selected, this is a finding.

Fix: F-63001r939766_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select "Properties". Select the "Zone Transfers" tab. Select the "Only to servers listed on the Name Server tab" or "Only to the following servers" check box or deselect the "Allow zone transfers" check box. Click "OK".

b
The Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator.
CM-6 - Medium - CCI-000366 - V-259355 - SV-259355r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000025
Vuln IDs
  • V-259355
Rule IDs
  • SV-259355r961863_rule
Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. In a DNS implementation, DAC should be granted to a minimal number of individuals and objects because DNS does not interact directly with users and users do not store and share data with the DNS application directly. The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able to create and modify resource records, and name servers should only accept updates from authoritative primary servers for the relevant zones. Integrity is best ensured through authentication and access control features within the name server software and the file system the name server resides on. To protect the zone files and configuration data, which should only be accessed by the name service or an administrator, access controls must be implemented on files, and rights should not be easily propagated to other users. Lack of a stringent access control policy places the DNS infrastructure at risk to malicious persons and attackers and creates the potential for a denial of service to network resources. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. DAC models have the potential for the access controls to propagate without limit, resulting in unauthorized access to objects. When applications provide a DAC mechanism, the DNS implementation must be able to limit the propagation of those access rights.
Checks: C-63094r939768_chk

For an Active Directory (AD)-integrated DNS implementation, this is not applicable by virtue of being compliant with the Windows 2022 AD STIG because DNS data within an AD-integrated zone is kept within the Active Directory. For a file-based Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select each zone. Right-click each zone and select "Properties". Select the "Security" tab. Review the permissions applied to the zone. No group or user should have greater than READ privileges other than the DNS administrators and the system service account under which the DNS Server Service is running. If any other account/group has greater than READ privileges, this is a finding.

Fix: F-63002r939769_fix

For a file-back Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select each zone. Right-click each zone and select "Properties". Select the "Security" tab. Downgrade to READ privileges any group or user that has greater than READ privileges other than the DNS administrators and the system service account under which the DNS Server Service is running.

b
The Windows DNS Server must implement internal/external role separation.
CM-6 - Medium - CCI-000366 - V-259356 - SV-259356r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000026
Vuln IDs
  • V-259356
Rule IDs
  • SV-259356r961863_rule
DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks, including the internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization using address ranges, explicit access control lists, etc. To protect internal DNS resource information, it is important to isolate the requests to internal DNS servers. Separating internal and external roles in DNS prevents address space that is private (e.g., 10.0.0.0/24) or otherwise concealed by some form of Network Address Translation from leaking into the public DNS system.
Checks: C-63095r939771_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, review each zone. Consult with the DNS Admin to determine if any of the zones also have hostnames that need to be resolved from the external network. If the zone is split between internal and external networks, verify separate DNS servers have been implemented for each network. If internal and external DNS servers have not been implemented for zones that require resolution from both the internal and external networks, this is a finding.

Fix: F-63003r939772_fix

Configure separate DNS servers for each of the external and internal networks.

b
The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
CM-6 - Medium - CCI-000366 - V-259357 - SV-259357r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000027
Vuln IDs
  • V-259357
Rule IDs
  • SV-259357r961863_rule
All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a noncaching server (as recommended), they can be configured to either return a referral to the root servers or refuse to answer the query. The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources fulfilling its intended purpose of answering authoritatively for its zone.
Checks: C-63096r939774_chk

Note: If the Windows DNS Server is in the classified network, this check is not applicable. Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Select the "Root Hints" tab. Verify "Root Hints" is empty or only has entries for internal zones under "Name servers:". All internet root server entries must be removed. If "Root Hints" is not empty or entries on the "Root Hints" tab under "Name servers:" are external to the local network, this is a finding.

Fix: F-63004r939775_fix

Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Select the "Root Hints" tab. Remove the root hints from the DNS Manager, the CACHE.DNS file, and from Active Directory for name servers outside the internal network. Replace the existing root hints with new root hints of internal servers. If the DNS server is forwarding, click to select the "Do not use recursion for this domain"" check box on the "Forwarders" tab in DNS Manager to ensure the root hints will not be used.

b
The Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
CM-6 - Medium - CCI-000366 - V-259358 - SV-259358r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000029
Vuln IDs
  • V-259358
Rule IDs
  • SV-259358r961863_rule
If a name server could claim authority for a resource record in a domain for which it was not authoritative, this would pose a security risk. In this environment, an adversary could use illicit control of a name server to impact IP address resolution beyond the scope of that name server (i.e., by claiming authority for records outside of that server's zones). Fortunately, all but the oldest versions of BIND and most other DNS implementations do not allow for this behavior. The best way to eliminate this risk is to eliminate from the zone files any records for hosts in another zone. The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party content delivery networks (CDNs) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated.
Checks: C-63097r939777_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Confirm with the DNS administrator that the hosts defined in the zone files do not resolve to hosts in another zone with its fully qualified domain name. The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. Additional exceptions are CNAME records in a multidomain Active Directory environment pointing to hosts in other internal domains in the same multidomain environment. If resource records are maintained that resolve to a fully qualified domain name in another zone, and the usage is not for resource records resolving to hosts that are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms with a documented and approved mission need, this is a finding.

Fix: F-63005r939778_fix

Remove any resource records in a zone file if the resource record resolves to a fully qualified domain name residing in another zone.

b
The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
CM-6 - Medium - CCI-000366 - V-259359 - SV-259359r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000030
Vuln IDs
  • V-259359
Rule IDs
  • SV-259359r961863_rule
The use of CNAME records for exercises, tests, or zone-spanning (pointing to zones with lesser security) aliases should be temporary (e.g., to facilitate a migration) and not be in place for more than six months. When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is defined and the zone authoritative for the alias's canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. In the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers, which compounds the vulnerability.
Checks: C-63098r939780_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the resource records to confirm there are no CNAME records older than six months. The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDNs) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. (Authorizing Official approval of use of a commercial cloud offering would satisfy this requirement.) Additional exceptions are CNAME records in a multidomain Active Directory environment pointing to hosts in other internal domains in the same multidomain environment. If there are zone-spanning (i.e., zones of lesser security) CNAME records older than six months and the CNAME records resolve to anything other than fully qualified domain names for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms with an AO-approved and documented mission need, this is a finding.

Fix: F-63006r939781_fix

Remove any zone-spanning CNAME records that have been active for more than six months, which are not supporting zone delegations, CNAME records supporting a system migration, or CNAME records pointing to third-party CDNs or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated (AO approval of use of a commercial cloud offering would satisfy this requirement).

b
Nonroutable IPv6 link-local scope addresses must not be configured in any zone.
CM-6 - Medium - CCI-000366 - V-259360 - SV-259360r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000031
Vuln IDs
  • V-259360
Rule IDs
  • SV-259360r961863_rule
IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Like RFC1918 addresses, if a link-local scope address is inserted into a zone provided to clients, most routers will not forward this traffic beyond the local subnet.
Checks: C-63099r939783_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Expand the "Forward Lookup Zones" folder. Expand each zone folder and examine the host record entries. The third column titled "Data" will display the IP. Verify this column does not contain any IP addresses that begin with the prefixes "FE8", "FE9", "FEA", or "FEB". If any nonroutable IPv6 link-local scope addresses are in any zone, this is a finding.

Fix: F-63007r939784_fix

Remove any link-local addresses and replace with appropriate Site-Local or Global scope addresses.

b
AAAA addresses must not be configured in a zone for hosts that are not IPv6 aware.
CM-6 - Medium - CCI-000366 - V-259361 - SV-259361r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000032
Vuln IDs
  • V-259361
Rule IDs
  • SV-259361r961863_rule
DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. A denial of service could easily be implemented for an application that is not IPv6 aware. When the application receives an IP address in hexadecimal, it is up to the application/operating system to decide how to handle the response. Combining both IPv6 and IPv4 records into the same domain can lead to application problems that are beyond the scope of the DNS administrator.
Checks: C-63100r939786_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, select each zone and examine the host record entries. The third column titled "Data" will display the IP. Determine if any contain both IPv4 and IPv6 addresses. If any hostnames contain both IPv4 and IPv6 addresses, confirm with the system administrator that the actual hosts are IPv6 aware. If any zones contain hosts with both IPv4 and IPv6 addresses but are determined to be non-IPv6 aware, this is a finding.

Fix: F-63008r939787_fix

Remove any IPv6 records for hosts that are not IPv6 aware.

b
The Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
IA-3 - Medium - CCI-000778 - V-259363 - SV-259363r960999_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-000778
Version
WDNS-22-000035
Vuln IDs
  • V-259363
Rule IDs
  • SV-259363r960999_rule
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair, TSIG, or using PKI-based authentication, SIG(0), thus uniquely identifying the other server. TSIG and SIG(0) are not configurable in Windows DNS Server. To meet the requirement for authentication between Windows DNS Servers, IPsec will be implemented between the Windows DNS Servers that host any non-Active Directory (AD)-integrated zones.
Checks: C-63102r939792_chk

Note: This requirement applies to any Windows DNS Server that hosts non-AD-integrated zones, even if the DNS servers host AD-integrated zones, too. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". Click "Default Domain Controllers Policy" and click "OK". In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. Click "Connection Security Rules". Confirm at least one rule is configured for TCP 53. Double-click on each rule to verify the following: On the "Authentication" tab, "Authentication mode:" is set to "Request authentication for inbound and outbound connections". The "Signing Algorithm" is set to "RSA (default)". On the "Remote Computers" tab, "Endpoint1" and "Endpoint2" are configured with the IP addresses of all DNS servers. On the "Protocols and Ports" tab, "Protocol type:" is set to either TCP (depending on which rule is being reviewed) and the "Endpoint 1 port:" is set to "Specific ports" and "53". If no rules are configured with the specified requirements, this is a finding.

Fix: F-63010r939793_fix

Complete the following procedures twice for each pair of name servers. Create a rule for TCP connections. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". Click "Default Domain Controllers Policy" and click "OK". In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. Right-click "Connection Security Rules" and select "New". For "Rule Type", select the "Server-to-server" radio button and click "Next". For Endpoint 1 and Endpoint 2, select "These IP addresses:" and add the IP addresses of all DNS servers. Click "Next". For "Requirements", select "Request authentication for inbound and outbound connections" and click "Next". For "Authentication Method", select Computer certificate and from the "Signing Algorithm:" drop-down, select "RSA (default)". From the "Certificate store type:" drop-down, select "Root CA (default)". From the "CA name:", click "Browse", select the certificate for the CA, and click "Next". On "Profile", accept default selections and click "Next". On "Name", enter a name applicable to the rule's function. Click "Finish".

b
The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
IA-3 - Medium - CCI-001958 - V-259364 - SV-259364r961503_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
WDNS-22-000036
Vuln IDs
  • V-259364
Rule IDs
  • SV-259364r961503_rule
Authenticity of zone transfers within Windows Active Directory (AD)-integrated zones is accomplished by AD replication. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices can access the system. This requirement applies to server-to-server (zone transfer) transactions only and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair, TSIG, or using PKI-based authentication, SIG(0).
Checks: C-63103r945271_chk

For zones that are completely AD-integrated, this check is not a finding. For authenticity of zone transfers between non-AD-integrated zones, DNSSEC must be implemented. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 12/21/2022 10:215:28 AM Signed: 11/22/2022 10:15:28 AM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, indicating the zone has been signed with DNSSEC, this is a finding.

Fix: F-63011r939796_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the account designated as Administrator or DNS Administrator. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
AC-10 - Medium - CCI-000054 - V-259365 - SV-259365r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
WDNS-22-000037
Vuln IDs
  • V-259365
Rule IDs
  • SV-259365r960735_rule
Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to be made only to designated secondary name servers. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in a denial of service to legitimate users. Active Directory (AD)-integrated DNS servers replicate zone information via AD replication. Non-AD-integrated DNS servers replicate zone information via zone transfers.
Checks: C-63104r939798_chk

If the DNS server hosts only AD-integrated zones and there are no non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable. For a non-AD-integrated DNS server: Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, click to select and then right-click the zone name. From the displayed context menu, click the "Properties" option. On the opened zone's properties box, go to the "Zone Transfers" tab. On the displayed interface, determine if the "Allow zone transfers" check box is selected. If the "Allow zone transfers" check box is not selected, this is not a finding. If the "Allow zone transfers" check box is selected, determine if either the "Only to servers listed on the Name Servers tab" radio button is selected or the "Only to the following servers" radio button is selected. If the "To any server" radio button is selected, this is a finding.

Fix: F-63012r939799_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. From the displayed context menu, click the "Properties" option. On the opened zone's properties box, go to the "Zone Transfers" tab. On the displayed interface, select the "Allow zone transfers" check box. Select the "Only to servers listed on the Name Servers tab" radio button OR select the "Only to the following servers" radio button. Click "Apply". Click "OK".

b
The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
CM-6 - Medium - CCI-000366 - V-259366 - SV-259366r987676_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000038
Vuln IDs
  • V-259366
Rule IDs
  • SV-259366r987676_rule
Weakly bound credentials can be modified without invalidating the credential; therefore, nonrepudiation can be violated. This requirement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations and/or data owners determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. DNSSEC and TSIG/SIG(0) both use digital signatures to establish the identity of the producer of pieces of information.
Checks: C-63105r945274_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63013r939802_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the account designated as Administrator or DNS Administrator. In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either saved parameters or custom parameters.

b
The Windows DNS Server must be configured to enforce authorized access to the corresponding private key.
IA-5 - Medium - CCI-000186 - V-259367 - SV-259367r961041_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
WDNS-22-000039
Vuln IDs
  • V-259367
Rule IDs
  • SV-259367r961041_rule
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. In cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.
Checks: C-63106r939804_chk

Access Windows Explorer. Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto Note: If the folder above does not exist, this check is not applicable. Verify the permissions on the keys folder, subfolders, and files are limited to SYSTEM and Administrators FULL CONTROL. If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders and files, this is a finding.

Fix: F-63014r939805_fix

Access Windows Explorer. Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto Modify permissions on the keys folder, subfolders, and files to be limited to SYSTEM and Administrators FULL CONTROL to limit all other users/groups to READ.

b
The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.
IA-5 - Medium - CCI-000186 - V-259368 - SV-259368r961041_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
WDNS-22-000040
Vuln IDs
  • V-259368
Rule IDs
  • SV-259368r961041_rule
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64 encoded. Transaction Signature (TSIG) is a string used to generate the message authentication hash stored in a TSIG Resource Record (RR) and used to authenticate an entire DNS message.
Checks: C-63107r939807_chk

Access Services on the Windows DNS Server and locate the DNS Server Service. Determine the account under which the DNS Server Service is running. Access Windows Explorer. Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto Note: If the folder above does not exist, this check is not applicable. Right-click on each subfolder, choose "Properties", click the "Security" tab, and click the "Advanced" button. Verify the Owner on the folder, subfolders, and files is the account under which the DNS Server Service is running. If any other user or group is listed as OWNER of the %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders, and files, this is a finding.

Fix: F-63015r939808_fix

Access Windows Explorer. Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto Right-click on each subfolder, choose "Properties", click the "Security" tab, and click the "Advanced" button. Click "Change" next to the listed Owner and change to be the account under which the DNS Server Service is running.

b
The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software.
IA-5 - Medium - CCI-000186 - V-259369 - SV-259369r961041_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
WDNS-22-000041
Vuln IDs
  • V-259369
Rule IDs
  • SV-259369r961041_rule
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64 encoded. Transaction Signature (TSIG) is a string used to generate the message authentication hash stored in a TSIG Resource Record (RR) and used to authenticate an entire DNS message.
Checks: C-63108r939810_chk

Access Windows Explorer. Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto Note: If the folder above does not exist, this check is not applicable. Verify the permissions on the folder, subfolders, and files are limited to "SYSTEM" and Administrators for "FULL CONTROL". If any other user or group has greater than READ permissions to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders, and files, this is a finding.

Fix: F-63016r939811_fix

Access Windows Explorer. Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto Modify permissions on the folder, subfolders, and files to "FULL CONTROL" for "SYSTEM" and Administrators and to "READ" for all other users/groups.

b
The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.
IA-5 - Medium - CCI-000186 - V-259370 - SV-259370r961041_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
WDNS-22-000042
Vuln IDs
  • V-259370
Rule IDs
  • SV-259370r961041_rule
The private keys in the key signing key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file primary copy. This strategy is not feasible in situations in which the DNSSEC-aware name server must support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) must have both the zone file master copy and the private key corresponding to the zone signing key (ZSK-private) online to immediately update the signatures for the updated resource record (RR) sets. The private key corresponding to the key signing key (KSK-private) can still be kept offline.
Checks: C-63109r945279_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory (AD)-integrated zones or for Windows DNS Servers on a classified network. Note: This requirement is not applicable to servers with only a caching role. For AD-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through AD replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the AD database file, the signed copy of the zone remains in memory for AD-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server. If all DNS servers are AD integrated, this check is not applicable. If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates, and has a copy of the private key corresponding to the ZSK, this is a finding.

Fix: F-63017r939814_fix

Ensure the private key corresponding to the ZSK is only stored on the name server accepting dynamic updates.

b
The Windows DNS Server must implement a local cache of revocation data for PKI authentication.
- Medium - CCI-004068 - V-259371 - SV-259371r1000177_rule
RMF Control
Severity
Medium
CCI
CCI-004068
Version
WDNS-22-000043
Vuln IDs
  • V-259371
Rule IDs
  • SV-259371r1000177_rule
Not configuring a local cache of revocation data could allow access to users who are no longer authorized (users with revoked certificates). SIG(0) is used for server-to-server authentication for DNS transactions, and it uses PKI-based authentication. In cases where SIG(0) is being used instead of TSIG (which uses a shared key, not PKI-based authentication), this requirement is applicable.
Checks: C-63110r939816_chk

Consult with the system administrator to determine if a third-party CRL server is being used for certificate revocation lookup. If there is, determine if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site. If there is no local cache of revocation data, this is a finding.

Fix: F-63018r939817_fix

Configure local revocation data to be used in the event access to Certificate Authorities is hindered.

b
The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.
CM-6 - Medium - CCI-000366 - V-259372 - SV-259372r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000044
Vuln IDs
  • V-259372
Rule IDs
  • SV-259372r961863_rule
NSEC records list the resource record types for the name, as well as the name of the next resource record. With this information it is revealed that the resource record type for the name queried, or the resource record name requested, does not exist. NSEC uses the actual resource record names, whereas NSEC3 uses a one-way hash of the name. In this way, walking zone data from one record to the next is prevented, at the expense of some CPU cycles on the authoritative server and the resolver. To prevent giving access to an entire zone file, NSEC3 should be configured. To use NSEC3, RSA/SHA-1 should be used as the algorithm, as some resolvers that understand RSA/SHA-1 might not understand NSEC3. Using RSA/SHA-256 is a safe alternative.
Checks: C-63111r945370_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. In Windows, the NSEC3 salt values are automatically changed when the zone is re-signed. To validate: Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS Server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the zone's RRs in the right windowpane. Determine the RRSIG NSEC3PARAM's Inception (in the Data column). Compare the Inception to the RRSIG DNSKEY Inception. The date and time should be the same. If the NSEC3PARAM's Inception date and time is different than the DNSKEY Inception date and time, this is a finding.

Fix: F-63019r939820_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters. Revalidate the NSEC3PARAM Inception date and time against the DNSKEY date and time.

b
The Windows DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.
SC-20 - Medium - CCI-001178 - V-259373 - SV-259373r961101_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001178
Version
WDNS-22-000045
Vuln IDs
  • V-259373
Rule IDs
  • SV-259373r961101_rule
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. The security objective is to verify the integrity of each response received. An integral part of integrity verification is to ensure valid data has originated from the right source. Establishing trust in the source is called data origin authentication. The security objectives, and consequently the security services, that are required for securing the DNS query/response transaction are data origin authentication and data integrity verification. The specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF's DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor.
Checks: C-63112r945284_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Authenticity of query responses is provided with DNSSEC signing of zones. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by Windows DNS Server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63020r939823_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the account designated as Administrator or DNS Administrator. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server's IP address must be statically defined and configured locally on the server.
CM-6 - Medium - CCI-000366 - V-259374 - SV-259374r987695_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000046
Vuln IDs
  • V-259374
Rule IDs
  • SV-259374r987695_rule
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated. Ensuring all name servers have static IP addresses makes it possible to configure restricted DNS communication, such as with DNSSEC, between the name servers.
Checks: C-63113r939825_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Locate the "Network Internet Access" icon, right-click on it, and select "Open Network & Sharing Center". Click "Change adapter settings". Right-click on the Ethernet and click "Properties". Select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties". Verify the "Use the following IP address" is selected, with an IP address, subnet mask, and default gateway assigned. If the "Use the following IP address" is not selected with a configured IP address, subnet mask, and default gateway, this is a finding.

Fix: F-63021r939826_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Locate the "Network Internet Access" icon, right-click on it, and select "Open Network & Sharing Center". Click "Change adapter settings". Right-click on the Ethernet and click "Properties". Select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties". Select "Use the following IP address" and populate with an IP address, subnet mask, and default gateway.

b
The Windows DNS Server must return data information in response to internal name/address resolution queries.
CM-6 - Medium - CCI-000366 - V-259375 - SV-259375r987695_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000047
Vuln IDs
  • V-259375
Rule IDs
  • SV-259375r987695_rule
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated.
Checks: C-63114r945287_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. By default, when DNS servers are configured with DNSSEC signed zones, they will automatically respond to query requests, providing validating data in the response, whenever the query requests that validation. Because this takes place inherently when the zone is signed with DNSSEC, the requirement is satisfied by ensuring zones are signed. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63022r945288_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
CM-6 - Medium - CCI-000366 - V-259376 - SV-259376r987696_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000048
Vuln IDs
  • V-259376
Rule IDs
  • SV-259376r987696_rule
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to ensure the authenticity and integrity of response data. In the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.
Checks: C-63115r945290_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63023r945291_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
WINS lookups must be disabled on the Windows DNS Server.
SC-20 - Medium - CCI-002462 - V-259377 - SV-259377r961581_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-002462
Version
WDNS-22-000049
Vuln IDs
  • V-259377
Rule IDs
  • SV-259377r961581_rule
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to assure the authenticity and integrity of response data. In the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries. If/when WINS lookups are enabled, the validity of the data becomes questionable because the WINS data is provided to the requestor unsigned and invalidated. To ensure only the DNSSEC-signed data is being returned, WINS lookups must be disabled.
Checks: C-63116r939834_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click each zone and then click "Properties". In the "Properties" dialog box for the zone, click the "WINS" tab. Verify the "Use WINS forward lookup" check box is not selected. If the "Use WINS forward lookup" check box is selected, this is a finding.

Fix: F-63024r939835_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click each zone and then click "Properties". In the "Properties" dialog box for the zone, click the "WINS" tab. Uncheck the "Use WINS forward" lookup check box. Click "OK".

b
The Windows DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.
SC-20 - Medium - CCI-002462 - V-259378 - SV-259378r961581_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-002462
Version
WDNS-22-000050
Vuln IDs
  • V-259378
Rule IDs
  • SV-259378r961581_rule
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. By requiring remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service, data origin is validated. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to assure the authenticity and integrity of response data. In the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.
Checks: C-63117r945294_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63025r945295_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must be configured with the Delegation Signer (DS) Resource Records (RR) carrying the signature for the RR that contains the public key of the child zone.
SC-20 - Medium - CCI-001179 - V-259379 - SV-259379r961104_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001179
Version
WDNS-22-000051
Vuln IDs
  • V-259379
Rule IDs
  • SV-259379r961104_rule
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of DS records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain from the top of the DNS hierarchy down. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to ensure the authenticity and integrity of response data. In DNS, trust in the public key of the source is established by starting from a trusted name server and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor. A certification path starts with the subject certificate and proceeds through several intermediate certificates up to a trusted root certificate. In DNS, a trust anchor is a DNSKEY that is placed into a validating resolver so the validator can cryptographically validate the results for a given request back to a known public key (the trust anchor). One way to indicate the security status of child subspaces is through the use of DS RRs in the DNS. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Without path validation and a chain of trust, there can be no trust that the data integrity authenticity has been maintained during a transaction.
Checks: C-63118r945297_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63026r945298_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet).
SC-20 - Medium - CCI-001663 - V-259380 - SV-259380r961107_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001663
Version
WDNS-22-000052
Vuln IDs
  • V-259380
Rule IDs
  • SV-259380r961107_rule
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. Within the context of DNS, this is applicable in terms of controlling the flow of DNS information between systems, such as DNS zone transfers.
Checks: C-63119r945300_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the records for the zone and ensure the complete RRSet of records is present: RRSIG, NSEC3, DNSKEY, indicating DNSSEC compliance. If the RRSet of records is not in the zone, this is a finding.

Fix: F-63027r939844_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.
SC-20 - Medium - CCI-001663 - V-259381 - SV-259381r961107_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001663
Version
WDNS-22-000053
Vuln IDs
  • V-259381
Rule IDs
  • SV-259381r961107_rule
The NRPT is used to require DNSSEC validation. The NRPT can be configured in local Group Policy for a single computer or domain Group Policy for some or all computers in the domain.
Checks: C-63120r945302_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. The NRPT is configured in, and deployed to clients from, Group Policy and will be pushed to all clients in the domain. The Active Directory zones will be signed and the clients, with NRPT, will require a validation of signed data when querying. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. At the Windows PowerShell prompt, type the following command: get-dnsclientnrptpolicy <enter> In the results, verify the "DnsSecValidationRequired" is "True". If there are no results to the "get-dnsclientnrptpolicy" cmdlet or the "DnsSecValidationRequired" is not "True", this is a finding.

Fix: F-63028r939847_fix

Implement this fix for configuring name resolvers, including DNS servers configured for the caching role only. On Domain Controller, on the Server Manager menu bar, click "Tools" and then click "Group Policy Management". In the Group Policy Management console tree, under Domains >> domainname >> Group Policy Objects, right-click "Default Domain Policy" and then click "Edit". In the Group Policy Management Editor console tree, navigate to Computer Configuration >> Policies >> Windows Settings >> Name Resolution Policy. In the details pane, under "Create Rules" and "to which part of the namespace does this rule apply", choose "Suffix" from the drop-down list and type "domain.mil" next to "Suffix". On the "DNSSEC" tab, select "Enable DNSSEC" in this rule check box and then under "Validation", select the check box for "Require DNS clients to check that name and address data has been validated by the DNS server". In the bottom right corner, click "Create" and then verify that a rule for domain.mil was added under the NRPT. Click "Apply" and then close the Group Policy Management Editor. Open a Windows PowerShell prompt and enter the following commands: gpupdate /force <enter> get-dnsclientnrptpolicy <enter> In the results, select "True" for the "DnsSecValidationRequired" setting for the domain.mil namespace.

b
The Windows DNS Server must be configured to validate an authentication chain of parent and child domains via response data.
SC-20 - Medium - CCI-001663 - V-259382 - SV-259382r961107_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001663
Version
WDNS-22-000054
Vuln IDs
  • V-259382
Rule IDs
  • SV-259382r961107_rule
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down. Like the DNSKEY resource record, the DS Resource Record (RR) can be used to create a trust anchor for a signed zone. The DS record is smaller in size than a DNSKEY record because it contains only a hash of the public key. The DS record is not added to a zone during the signing process like some DNSSEC-related RRs, even if a delegation already exists in the zone. To add a DS record, it must be manually added or imported. Fortunately, the DS resource record set (DSSET) is automatically added as a file to the Key Primary when a zone is signed. The DSSET file can be used with the "Import-DnsServerResourceRecordDS" cmdlet to import DS records to the parent zone. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to ensure the authenticity and integrity of response data. DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the DS RRs in the DNS, the security status of a child domain can be validated. The DS RR is used to identify the DNSSEC signing key of a delegated zone. Starting from a trusted name server (such as the root name server) and down to the current source of response through successive verifications of signature of the public key of a child by its parent, the chain of trust is established. The public key of the trusted name servers is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested RRs but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of an RRSet. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus. This control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Without indication of the security status of a child domain and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be ensured.
Checks: C-63121r945304_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: PS C:\&gt; Get-DnsServerResourceRecord -ZoneName adatum.com -RRType DS Replace "adatum.com" with the parent zone on the DNS server being evaluated. HostName RecordType Timestamp TimeToLive RecordData -------- ---------- --------- ---------- ---------- corp DS 0 01:00:00 [58555][Sha1][RsaSha1NSec3] corp DS 0 01:00:00 [58555][Sha256][RsaSha1NSec3] corp DS 0 01:00:00 [63513][Sha1][RsaSha1NSec3] corp DS 0 01:00:00 [63513][Sha256][RsaSha1NSec3] If the results do not show the DS records for the child domain(s), this is a finding. In the previous example, DS records for the child zone, corp.adatum.com, were imported into the parent zone, adatum.com, by using the DSSET file in the c:\windows\system32\dns directory. The DSSET file was located in this directory because the local DNS server is the Key primary for the child zone. If the Key Master DNS server for a child zone is not the same computer as the primary authoritative DNS server for the parent zone where the DS record is being added, the DSSET file must be obtained for the child zone and made available to the primary authoritative server for the parent zone. Alternatively, the DS records can be added manually.

Fix: F-63029r939850_fix

A DS record must be added manually or imported. The DSSET is automatically added as a file to the Key primary when a zone is signed. This file can be used with the "Import-DnsServerResourceRecordDS" cmdlet to import DS records to the parent zone. Example: PS C:\> Import-DnsServerResourceRecordDS -ZoneName adatum.com -DSSetFile "c:\windows\system32\dns\dsset-corp.adatum.com"

b
Trust anchors must be exported from authoritative Windows DNS Servers and distributed to validating Windows DNS Servers.
SC-20 - Medium - CCI-001663 - V-259383 - SV-259383r961107_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001663
Version
WDNS-22-000055
Vuln IDs
  • V-259383
Rule IDs
  • SV-259383r961107_rule
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its sub domain, from the top of the DNS hierarchy down. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to assure the authenticity and integrity of response data. DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the DS Resource Records (RRs) in the DNS, the security status of a child domain can be validated. The DS RR is used to identify the DNSSEC signing key of a delegated zone. Starting from a trusted name server (such as the root name server) and down to the current source of response through successive verifications of signature of the public key of a child by its parent, the chain of trust is established. The public key of the trusted name servers is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested RRs but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of an RRSet. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus. This control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Without indication of the security status of a child domain and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be assured. A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and can be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named "TrustAnchors.dns". A DNS server running Windows Server also displays configured trust anchors in the DNS Manager console tree in the Trust Points container. Trust anchors can also be viewed by executing Windows PowerShell commands or "Dnscmd.exe" at a Windows command prompt.
Checks: C-63122r945306_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log onto each of the validating Windows DNS Servers. In the DNS Manager console tree, navigate to each hosted zone under the "Trust Points" folder. Two DNSKEY trust points should be displayed, one for the active key and one for the standby key. If each validating Windows DNS Server does not reflect the DNSKEY trust points for each of the hosted zone(s), this is a finding.

Fix: F-63030r945307_fix

Log onto the primary DNS server and click Windows Explorer on the taskbar. Navigate to C:\Windows\System32, right-click the DNS folder, point to "Share with", and then click "Advanced sharing". In the "DNS Properties" dialog box, click "Advanced Sharing", select the "Share this folder" check box, verify the Share name is "DNS", and then click "OK". Click "Close" and then close Windows Explorer. Log on to each of the validating Windows DNS Servers. In the DNS Manager console tree, navigate to the "Trust Points" folder. Right-click "Trust Points", point to "Import", and then click "DNSKEY". In the "Import DNSKEY" dialog box, type \\primaryhost\dns\keyset-domain.mil (where primaryhost represent the FQDN of the Primary DNS Server and domain.mil represents the zone or zones). Click "OK".

b
Automatic Update of Trust Anchors must be enabled on key rollover.
SC-20 - Medium - CCI-001663 - V-259384 - SV-259384r961107_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001663
Version
WDNS-22-000056
Vuln IDs
  • V-259384
Rule IDs
  • SV-259384r961107_rule
A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and can be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named "TrustAnchors.dns". A DNS server running Windows Server also displays configured trust anchors in the DNS Manager console tree in the "Trust Points" container. Trust anchors can also be viewed by executing Windows PowerShell commands or "Dnscmd.exe" at a Windows command prompt.
Checks: C-63123r945309_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select and then right-click the zone name. From the displayed context menu, click DNSSEC &gt;&gt; Properties. Click the "KSK" tab. For each KSK that is listed under Key signing keys (KSKs), click the KSK, click "Edit", and in the "Key Rollover" section, verify the "Enable automatic rollover" check box is selected. If the "Enable automatic rollover" check box is not selected for every KSK listed, this is a finding.

Fix: F-63031r939856_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select and then right-click the zone name. From the displayed context menu, click DNSSEC >> Properties. Click the "KSK" tab. For each KSK that is listed under key signing keys (KSKs), click the KSK, click "Edit", and in the "Key Rollover" section, select the "Enable automatic rollover" check box.

b
The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
SC-21 - Medium - CCI-002465 - V-259385 - SV-259385r961584_rule
RMF Control
SC-21
Severity
Medium
CCI
CCI-002465
Version
WDNS-22-000057
Vuln IDs
  • V-259385
Rule IDs
  • SV-259385r961584_rule
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data origin authentication must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.
Checks: C-63124r945311_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from either a Windows 8 client or a Windows 2008 or higher server, authenticated as a Domain Administrator or Local Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows 10 or higher client. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2022 10:22:28 PM Signed: 10/22/2022 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63032r939859_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.
SC-21 - Medium - CCI-002466 - V-259386 - SV-259386r961587_rule
RMF Control
SC-21
Severity
Medium
CCI
CCI-002466
Version
WDNS-22-000058
Vuln IDs
  • V-259386
Rule IDs
  • SV-259386r961587_rule
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.
Checks: C-63125r945313_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2022 10:22:28 PM Signed: 10/22/2022 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63033r945314_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
SC-21 - Medium - CCI-002467 - V-259387 - SV-259387r961590_rule
RMF Control
SC-21
Severity
Medium
CCI
CCI-002467
Version
WDNS-22-000059
Vuln IDs
  • V-259387
Rule IDs
  • SV-259387r961590_rule
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.
Checks: C-63126r945316_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63034r945317_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.
SC-21 - Medium - CCI-002468 - V-259388 - SV-259388r961593_rule
RMF Control
SC-21
Severity
Medium
CCI
CCI-002468
Version
WDNS-22-000060
Vuln IDs
  • V-259388
Rule IDs
  • SV-259388r961593_rule
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data origin authentication verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.
Checks: C-63127r945319_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2022 10:22:28 PM Signed: 10/22/2022 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63035r945320_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must protect the authenticity of zone transfers via transaction signing.
SC-23 - Medium - CCI-001184 - V-259389 - SV-259389r961110_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
WDNS-22-000061
Vuln IDs
  • V-259389
Rule IDs
  • SV-259389r961110_rule
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions and is provided by TSIG/SIG(0), which enforces mutual server authentication using a key that is unique to each server pair, TSIG, or using PKI-based authentication, SIG(0), thus uniquely identifying the other server. TSIG and SIG(0) are not configurable in Windows DNS Server. To meet the requirement for authentication between Windows DNS Servers, IPsec will be implemented between the Windows DNS Servers that hosts any non-Active Directory (AD)-integrated zones.
Checks: C-63128r945322_chk

Note: This requirement applies to any Windows DNS Servers that host non-AD-integrated zones (file based) even if the DNS servers host AD-integrated zones, too. If the Windows DNS Servers host only AD-integrated zones, this requirement is not applicable. To protect authenticity of zone transfers between Windows DNS Servers with file-based zones, IPsec must be configured on each pair of name servers in a zone transfer transaction for those zones. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". Click "Default Domain Controllers Policy" and click "OK". In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object. Click Connection Security Rules. Consult with the SA to determine which Rules meet the intent of the server-to-server authentication. If Rules exist, double-click on each Rule to verify the following: For the "Authentication:" tab, click on the "Customize..." button. On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections". Confirm the "Signing Algorithm" is set to "RSA (default)". Under "Method", ensure the "Advanced:" radio button is selected. Click the "Customize" button. For "First authentication methods:", double-click on the entry. Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected. Review the certificate specified and verify the certificate used was generated by the internally-managed server performing the Active Directory Certificate Services (AD CS) role. If rules do not exist for server-to-server authentication, this is a finding. If rules exist for this server to authenticate to other name servers hosting the same file based zones when transacting zone transfers, but the rules are not configured with the above settings, this is a finding.

Fix: F-63036r945323_fix

Complete the following procedures twice for each pair of name servers. Create a rule for UDP connections and then create a rule for TCP connections. Refer to the Microsoft Windows Server DNS Overview.pdf for Microsoft links for this procedure. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". Click "Default Domain Controllers Policy" and click "OK". In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object. Right-click "Connection Security Rules" and select "New". For "Rule Type", select the "Server-to-server" radio button and click "Next". For Endpoint 1 and Endpoint 2, select "These IP addresses:" and add the IP addresses of all DNS servers. Click "Next". For "Requirements", select "Request authentication for inbound and outbound connections" and click "Next". For "Authentication Method", select Computer certificate and from the "Signing Algorithm:" drop-down, select "RSA (default)". From the "Certificate store type:" drop-down, select "Root CA (default). From "CA name:", click "Browse" and select the certificate generated by the internally managed server performing the AD CS role. Click "Next". On "Profile", accept the default selections and click "Next". On "Name", enter a name applicable to the rule's function (i.e., DNSSEC UDP). Click "Finish".

c
The Windows DNS Server must protect the authenticity of dynamic updates via transaction signing.
SC-23 - High - CCI-001184 - V-259390 - SV-259390r961110_rule
RMF Control
SC-23
Severity
High
CCI
CCI-001184
Version
WDNS-22-000062
Vuln IDs
  • V-259390
Rule IDs
  • SV-259390r961110_rule
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed. The combination of signing DNS zones by DNSSEC and requiring clients to send their dynamic updates securely ensures the authenticity of those DNS records when providing query responses for them.
Checks: C-63129r945325_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Once resource records are received by a DNS server via a secure dynamic update, the resource records will automatically become signed by DNSSEC if the zone was originally signed by DNSSEC. Authenticity of query responses for resource records dynamically updated can be validated by querying for whether the zone/record is signed by DNSSEC. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace 131.77.60.235 with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an Expirations, date signed, signer, and signature, similar to the following: Name : www.zonename.mil QueryType : RRSIG TTL : 189 Section : Answer TypeCovered : CNAME Algorithm : 8 LabelCount : 3 OriginalTtl : 300 Expiration : 11/21/2014 10:22:28 PM Signed : 10/22/2014 10:22:28 PM Signer : zonename.mil Signature : {87, 232, 34, 134...} Name : origin-www.zonename.mil QueryType : A TTL : 201 Section : Answer IP4Address : 156.112.108.76 If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63037r945326_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must protect the authenticity of query responses via DNSSEC.
SC-23 - Medium - CCI-001184 - V-259391 - SV-259391r961110_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
WDNS-22-000063
Vuln IDs
  • V-259391
Rule IDs
  • SV-259391r961110_rule
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of integrity verification is to ensure that valid data has originated from the right source. DNSSEC is required for securing the DNS query/response transaction by providing data origin authentication and data integrity verification through signature verification and the chain of trust.
Checks: C-63130r945328_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Authenticity of query responses is provided with DNSSEC signing of zones. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63038r939877_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either saved parameters or custom parameters.

b
The Windows DNS Server must use an approved DOD PKI certificate authority.
SC-23 - Medium - CCI-002470 - V-259392 - SV-259392r961596_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
WDNS-22-000064
Vuln IDs
  • V-259392
Rule IDs
  • SV-259392r961596_rule
Untrusted certificate authorities (CA) can issue certificates, but the certificates may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. TSIG and SIG(0) are not configurable in Windows DNS Server. To meet the requirement for authentication between Windows DNS Servers, IPsec must be implemented between the Windows DNS Servers. Note: If multiple certificates from the same CA are present on the DNS server, IPsec authentication might fail due to an incorrect certificate being chosen. For this purpose, an Active Directory Certificate Services (AD CS) role must be installed and configured as an Enterprise certificate authority (CA). Refer to the Microsoft Windows Server DNS Overview.pdf for references on deploying certificates for this procedure.
Checks: C-63131r945330_chk

Note: This requirement applies to any Windows DNS Servers that host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. This requirement is not applicable to servers with only a caching role. If the Windows DNS Servers host only AD-integrated zones, this requirement is not applicable. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". Click "Default Domain Controllers Policy" and click "OK". In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. Click "Connection Security Rules". Consult with the system administrator to determine which Rules meet the intent of DNSSEC server-to-server authentication. Double-click on each "Rule" to verify the following: For the "Authentication" tab, click on the "Customize..." button. On the "Authentication" tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections". Confirm the "Signing Algorithm" is set to "RSA (default)". Under "Method", verify the "Advanced:" radio button is selected. Click the "Customize" button. For "First authentication methods:", double-click on the entry. Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected. Review the certificate specified and verify the certificate used was generated by the internally managed server performing the AD CS role. If the certificate used does not meet the requirements, this is a finding.

Fix: F-63039r945331_fix

Complete the following procedures twice for each pair of name servers. Create a rule for UDP connections and then create a rule for TCP connections. Refer to the Microsoft Windows Server DNS Overview.pdf for Microsoft links for this procedure. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". Click "Default Domain Controllers Policy" and click "OK". In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. Right-click "Connection Security Rules" and select "New". For "Rule Type", select the "Server-to-server" radio button and click "Next". For Endpoint 1 and Endpoint 2, select "These IP addresses:" and add the IP addresses of all DNS servers. Click "Next". For "Requirements", select "Request authentication for inbound and outbound connections" and click "Next". For "Authentication Method", select Computer certificate and from the "Signing Algorithm:" drop-down, select "RSA (default)". From the "Certificate store type:" drop-down, select "Root CA (default)". From the "CA name:", click "Browse" and select the certificate generated by the internally managed server performing the AD CS role. Click "Next". On "Profile", accept the default selections and click "Next". On "Name", enter a name applicable to the rule's function (i.e., DNSSEC UDP). Click "Finish".

b
The Windows DNS Server must protect secret/private cryptographic keys while at rest.
SC-28 - Medium - CCI-001199 - V-259393 - SV-259393r961128_rule
RMF Control
SC-28
Severity
Medium
CCI
CCI-001199
Version
WDNS-22-000065
Vuln IDs
  • V-259393
Rule IDs
  • SV-259393r961128_rule
Information at rest refers to the state of information when it is located on a secondary storage device within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and nonvolatile memory) can be read, copied, or altered. Applications and application users generate information throughout the course of their application use. The DNS server must protect the confidentiality and integrity of shared keys for TSIG and private keys for SIG(0) and must protect the integrity of DNS information. There is no need to protect the confidentiality of DNS information because it is accessible by all devices that can contact the server.
Checks: C-63132r939882_chk

To verify the cryptographic keys are protected after being backed up to another medium (tape, disk, SAN, etc.), consult with the system administrator to determine the backup policy in place for the DNS server. If a backup policy does not exist or the backup policy does not specify the protection required for the backup medium to be at or above the level as the server, this is a finding.

Fix: F-63040r939883_fix

To ensure the cryptographic keys are protected after being backed up to tape or other medium, develop a backup policy that includes the protection of backup date at or above the level as the DNS server.

b
The Windows DNS Server must only contain zone records that have been validated annually.
SC-28 - Medium - CCI-002475 - V-259394 - SV-259394r961599_rule
RMF Control
SC-28
Severity
Medium
CCI
CCI-002475
Version
WDNS-22-000066
Vuln IDs
  • V-259394
Rule IDs
  • SV-259394r961599_rule
If zone information has not been validated in more than a year, there is no assurance that it is still valid. If invalid records are in a zone, an adversary could potentially use their existence for improper purposes. A standard operating procedure detailing this process can resolve this requirement.
Checks: C-63133r939885_chk

This requirement is not applicable for a Windows DNS Server that is hosting only Active Directory (AD)-integrated zones. For a Windows DNS Server that hosts a mix of AD-integrated zones and manually maintained zones, ask the DNS database administrator if they maintain a separate database with record documentation for the non-AD-integrated zone information. Verify that the record's last verified date is less than one year prior to the date of the review. If a separate database with record documentation is not maintained for the non-AD-integrated zone information, this is a finding. If a separate database with record documentation is maintained for the non-AD-integrated zone information, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the zone records of the non-AD-integrated zones and compare to the separate documentation maintained. Determine if any records have not been validated in more than a year. If zone records exist that have not been validated in more than a year, this is a finding.

Fix: F-63041r939886_fix

Create a separate database to maintain record documentation for non-AD-integrated zones. Develop a procedure to validate annually all zone information on the DNS server against the separately maintained database. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Select the zone records that have not been validated in more than a year and revalidate.

b
The Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems.
SC-5 - Medium - CCI-001094 - V-259395 - SV-259395r961152_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001094
Version
WDNS-22-000067
Vuln IDs
  • V-259395
Rule IDs
  • SV-259395r961152_rule
Applications and application developers must take steps to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic, so users are not able to generate unlimited network traffic via the application. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks.
Checks: C-63134r939888_chk

Review the DNS server to confirm the server restricts direct and remote console access to users other than Administrators. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: Administrators Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment. If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: Guests Group Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: Guests Group

Fix: F-63042r939889_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Allow log on through Remote Desktop Services to include only the following accounts or groups: Administrators Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny access to this computer from the network to include the following: Guests Group Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny log on locally to include the following: Guests Group

b
The Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload.
SC-5 - Medium - CCI-001095 - V-259396 - SV-259396r961155_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
WDNS-22-000068
Vuln IDs
  • V-259396
Rule IDs
  • SV-259396r961155_rule
In the case of application DoS attacks, care must be taken when designing the application to ensure it makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time.
Checks: C-63135r939891_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. In the list of hosts, review the Name Server (NS) records. Determine if any of the hosts listed as NS records are non-Active Directory (AD)-integrated servers. If the DNS server hosts only AD-integrated zones and no non-AD-integrated DNS servers are acting as secondary DNS servers for the zones, this check is not applicable. For a non-AD-integrated DNS server, right-click on the "Forward Lookup Zone" and select "Properties". On the opened zone's properties box, go to the "Zone Transfers" tab. On the displayed interface, determine if the "Allow zone transfers" check box is selected. If the "Allow zone transfers" check box is selected, click the "Notify" button and verify "Automatically notify with Servers" is listed on the "Name Servers" tab. If the "Notify" button is not enabled for non-AD-integrated DNS servers, this is a finding.

Fix: F-63043r939892_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. In the list of hosts, review the NS records. Determine if any of the hosts listed as NS records are non-AD-integrated servers. If the DNS server hosts only AD-integrated zones and no non-AD-integrated DNS servers are acting as secondary DNS servers for the zones, this is not applicable. For a non-AD-integrated DNS server, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select and then right-click the zone name. From the displayed context menu, click the "Properties" option. On the opened zone's properties box, go to the "Zone Transfers" tab. On the displayed interface, determine if the "Allow zone transfers" check box is selected. If the "Allow zone transfers" check box is selected, click the "Notify" button and enable Notify to the non-AD-integrated DNS servers.

c
The Windows DNS Server must protect the integrity of transmitted information.
SC-8 - High - CCI-002418 - V-259397 - SV-259397r961632_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
WDNS-22-000069
Vuln IDs
  • V-259397
Rule IDs
  • SV-259397r961632_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. Confidentiality is not an objective of DNS, but integrity is. DNSSEC and TSIG/SIG(0) both digitally sign DNS information to authenticate its source and ensure its integrity.
Checks: C-63136r945337_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63044r945338_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must maintain the integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-259398 - SV-259398r961638_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002420
Version
WDNS-22-000070
Vuln IDs
  • V-259398
Rule IDs
  • SV-259398r961638_rule
Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
Checks: C-63137r945340_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63045r945341_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must maintain the integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-259399 - SV-259399r961641_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002422
Version
WDNS-22-000071
Vuln IDs
  • V-259399
Rule IDs
  • SV-259399r961641_rule
Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
Checks: C-63138r945343_chk

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2022 10:22:28 PM Signed: 10/22/2022 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63046r945344_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the Domain Admin or Enterprise Admin account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
SC-13 - Medium - CCI-002450 - V-259400 - SV-259400r961857_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
WDNS-22-000072
Vuln IDs
  • V-259400
Rule IDs
  • SV-259400r961857_rule
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: - Digital Signature Algorithm (DSA). - RSA. - Elliptic Curve DSA (ECDSA). Of these three algorithms, RSA and DSA are more widely available and considered candidates of choice for DNSSEC. Both RSA and DSA have comparable signature generation speeds, but DSA is much slower for signature verification. RSA is the recommended algorithm for this guideline. RSA with SHA-1 is currently the only cryptographic algorithm mandated to be implemented with DNSSEC, although other algorithm suites (i.e., RSA/SHA-256, ECDSA) are also specified. It can be expected that name servers and clients will be able to use the RSA algorithm at a minimum. It is suggested that at least one ZSK for a zone use the RSA algorithm. NIST's Secure Hash Standard (SHS) (FIPS 180-3) specifies SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 as approved hash algorithms to be used as part of the algorithm suite for generating digital signatures using the digital signature algorithms in NIST's DSS (FIPS186). It is expected that there will be support for Elliptic Curve Cryptography in the DNSSEC. The migration path for USG DNSSEC operation will be to ECDSA (or similar) from RSA/SHA-1 and RSA/SHA-256 before 30 September 2015.
Checks: C-63139r945346_chk

Note: This requirement applies to any Windows DNS Server that hosts non-Active Directory (AD)-integrated zones even if the DNS servers host AD-integrated zones, too. If the Windows DNS Server hosts only AD-integrated zones and does not host any file-based zones, this is not applicable. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63047r939904_fix

Sign or re-sign, the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone", using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions.
SI-10 - Medium - CCI-001310 - V-259401 - SV-259401r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
WDNS-22-000073
Vuln IDs
  • V-259401
Rule IDs
  • SV-259401r961158_rule
DNS zone data for which a Windows DNS Server is authoritative should represent the network for which it is responsible. If a Windows DNS Server hosts zone records for other networks or environments, the records could become invalid or stale or be redundant/conflicting with a DNS server truly authoritative for the other network environment.
Checks: C-63140r939906_chk

Consult with the system administrator to determine the IP ranges for the environment. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. If not automatically started, initialize the "Server Manager" window by clicking its icon from the bottom left corner of the screen. Once the "Server Manager" window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select and then right-click the zone name. Review the zone information and compare it to the IP ranges for the environment. If any zone information is for a different IP range or domain, this is a finding.

Fix: F-63048r939907_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. If not automatically started, initialize the "Server Manager" window by clicking its icon from the bottom left corner of the screen. Once the "Server Manager" window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". Remove any zone information that is not part of the environment.

b
The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.
CM-6 - Medium - CCI-000366 - V-259402 - SV-259402r987708_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000074
Vuln IDs
  • V-259402
Rule IDs
  • SV-259402r987708_rule
Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shutdown processes, restart the system, or contact designated organizational personnel). If a component such as the DNSSEC or TSIG/SIG(0) signing capabilities were to fail, the DNS server should shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly in this state.
Checks: C-63141r939909_chk

Active Directory (AD)-integrated DNS servers will handle the promotion of a secondary DNS server when a primary DNS server loses functionality. If all of the DNS servers are AD integrated, this is not a finding. Consult with the system administrator to determine if there are documented procedures to re-role a non-AD-integrated secondary name server to a master name server role if a master name server loses functionality. If there are no documented procedures to re-role a non-AD-integrated secondary name server to primary if a master name server loses functionality, this is a finding.

Fix: F-63049r939910_fix

AD-integrated DNS servers will handle the promotion of a secondary DNS server when a primary DNS server loses functionality. Develop, test, and implement documented procedures to re-role a non-AD-integrated secondary name server to a master name server role if a master name server loses functionality.

b
The DNS Name Server software must be configured to refuse queries for its version information.
AC-4 - Medium - CCI-002201 - V-259403 - SV-259403r987666_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002201
Version
WDNS-22-000075
Vuln IDs
  • V-259403
Rule IDs
  • SV-259403r987666_rule
Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to address those vulnerabilities. The vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. It makes good business sense to run the latest version of name server software because theoretically it is the safest version. In some installations, it may not be possible to switch to the latest version of name server software immediately. If the version of the name server software is revealed in queries, this information may be used by attackers looking for a specific version of the software that has a discovered weakness. To prevent information about which version of name server software is running on a system, name servers should be configured to refuse queries for its version information.
Checks: C-63142r939912_chk

The "EnableVersionQuery" property controls what version information the DNS server will respond with when a DNS query with class set to "CHAOS" and type set to "TXT" is received. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Open a command window and execute the command: nslookup &lt;enter&gt; Note: Confirm the Default Server is the DNS server on which the command is being run. At the nslookup prompt, type: set type=TXT &lt;enter&gt; set class=CHAOS &lt;enter&gt; version.bind &lt;enter&gt; If the response returns something similar to text = "Microsoft DNS 6.1.7601 (1DB14556)", this is a finding.

Fix: F-63050r939913_fix

To disable the version being returned in queries, execute the following command: dnscmd /config /EnableVersionQuery 0 <enter>

b
The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA.
AC-4 - Medium - CCI-002201 - V-259404 - SV-259404r987666_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002201
Version
WDNS-22-000076
Vuln IDs
  • V-259404
Rule IDs
  • SV-259404r987666_rule
Several types of resource records (RRs) in the DNS are meant to convey information to humans and applications about the network, hosts, or services. These RRs include the Responsible Person (RP) record, the Host Information (HINFO) record, the Location (LOC) record, and the catch-all text string resource record (TXT) (RFC1035). Although these record types are meant to provide information to users in good faith, they also allow attackers to gain knowledge about network hosts before attempting to exploit them. For example, an attacker may query for HINFO records, looking for hosts that list an operating system or platform known to have exploits. Therefore, great care should be taken before including these record types in a zone. They are best left out completely. More careful consideration should be taken with the TXT resource record type. A DNS administrator will have to decide if the data contained in a TXT RR constitutes an information leak or is a necessary piece of information. For example, several authenticated email technologies use TXT RRs to store email sender policy information such as valid email senders for a domain. These judgments will have to be made on a case-by-case basis. A DNS administrator should take care when including HINFO, RP, TXT, LOC, or other RR types that could divulge information that would be useful to an attacker or the external view of a zone if using split DNS. RRs such as HINFO and TXT provide information about software name and versions (e.g., for resources such as web servers and mail servers) that will enable the well-equipped attacker to exploit the known vulnerabilities in those software versions and launch attacks against those resources.
Checks: C-63143r939915_chk

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the zone's RRs and verify HINFO, RP, and LOC RRs are not used. If TXT RRs are used, they must not reveal any information about the organization that could be used for malicious purposes. If there are any HINFO, RP, LOC, or revealing TXT RRs in any zone hosted by the DNS server, this is a finding.

Fix: F-63051r939916_fix

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Remove all HINFO, RP, TXT, and LOC RRs from all zones hosted by the DNS server.

b
The Windows DNS Server must, when a component failure is detected, activate a notification to the system administrator.
CM-6 - Medium - CCI-000366 - V-259405 - SV-259405r987640_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000077
Vuln IDs
  • V-259405
Rule IDs
  • SV-259405r987640_rule
Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue operating in an insecure state. The organization must be prepared, and the application must support requirements that specify if the application must alarm for such conditions and/or automatically shut down the application or the system. This can include conducting a graceful application shutdown to avoid losing information. Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures. If a component such as the DNSSEC or TSIG/SIG(0) signing capabilities were to fail, the DNS server should shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly in this state.
Checks: C-63144r945352_chk

Notification to the system administrator is not configurable in Windows DNS Server. For system administrators to be notified when a component fails, the system administrator would have to implement a third-party monitoring system. At a minimum, the system administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. If a third-party monitoring system is not in place to detect and notify the system administrator upon component failures, and the system administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.

Fix: F-63052r939919_fix

Implement a third-party monitoring system to detect and notify the system administrator upon component failure or, at a minimum, document and implement a procedure to review the diagnostic logs on a routine basis every day.

b
The Windows DNS Server must verify the correct operation of security functions upon startup and/or restart, upon command by a user with privileged access, and/or every 30 days.
SI-6 - Medium - CCI-002699 - V-259406 - SV-259406r961734_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002699
Version
WDNS-22-000078
Vuln IDs
  • V-259406
Rule IDs
  • SV-259406r961734_rule
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Without verification, security functions may not operate correctly, and this failure may go unnoticed. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights. The DNS server should perform self-tests, such as at server startup, to confirm that its security functions are working properly.
Checks: C-63145r945354_chk

Note: This requirement applies to any Windows DNS Server that hosts non-Active Directory (AD)-integrated zones even if the DNS servers host AD-integrated zones, too. If the Windows DNS Server hosts only AD-integrated zones and does not host any file-based zones, this is not applicable. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt; Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2022 10:22:28 AM Signed: 10/22/2022 10:22:28 AM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix: F-63053r939922_fix

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.

b
The Windows DNS Server must verify the correct operation of security functions upon system startup and/or restart, upon command by a user with privileged access, and/or every 30 days.
SI-6 - Medium - CCI-002699 - V-259407 - SV-259407r961734_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002699
Version
WDNS-22-000079
Vuln IDs
  • V-259407
Rule IDs
  • SV-259407r961734_rule
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Without verification, security functions may not operate correctly, and this failure may go unnoticed. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications, such as lights. The DNS server should perform self-tests, such as at server startup, to confirm that its security functions are working properly.
Checks: C-63146r939924_chk

This functionality should be performed by an approved and properly configured DOD system monitoring solution. If all required DOD products are not installed and /or the installed productions are not enabled, this is a finding.

Fix: F-63054r939925_fix

Install an approved DOD system monitoring solution.

b
The Windows DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
SI-6 - Medium - CCI-002702 - V-259408 - SV-259408r961737_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002702
Version
WDNS-22-000080
Vuln IDs
  • V-259408
Rule IDs
  • SV-259408r961737_rule
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights. If anomalies are not acted on, security functions may fail to secure the system. The DNS server does not have the capability of shutting down or restarting the information system. The DNS server can be configured to generate audit records when anomalies are discovered, and the operating system/network device manager can then trigger notification messages to the system administrator based on the presence of those audit records.
Checks: C-63147r945357_chk

Note: If the only zones hosted are AD-integrated zones, this check is not applicable. Notification to the system administrator is not configurable in Windows. For the administrator to be notified if functionality of DNSSEC/TSIG has been removed or broken, the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator would need to implement a third-party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. If a third-party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of DNSSEC/TSIG has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.

Fix: F-63055r939928_fix

Implement a third-party monitoring system to detect and notify the ISSO/ISSM/DNS administrator if functionality of DNSSEC/TSIG has been removed or broken or, at a minimum, document and implement a procedure to review the diagnostic logs on a routine basis every day.

b
The Windows DNS Server must be configured to notify the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.
SI-6 - Medium - CCI-001294 - V-259409 - SV-259409r961185_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-001294
Version
WDNS-22-000081
Vuln IDs
  • V-259409
Rule IDs
  • SV-259409r961185_rule
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. If personnel are not notified of failed security verification tests, they will not be able to take corrective action, and the unsecure condition(s) will remain. Notifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights. The DNS server should be configured to generate audit records whenever a self-test fails. The operating system/network device manager is responsible for generating notification messages related to this audit record.
Checks: C-63148r945359_chk

Note: This check is not applicable for Windows DNS Servers that only host Active Directory-integrated zones or for Windows DNS servers on a classified network. Notification to the system administrator is not configurable in Windows DNS Server. For the ISSO/ISSM/DNS administrator to be notified if functionality of Secure Updates has been removed or broken, the ISSO/ISSM/DNS administrator would need to implement a third party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. If a third-party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of Secure Updates has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.

Fix: F-63056r939931_fix

Implement a third-party monitoring system to detect and notify the ISSO/ISSM/DNS administrator if functionality of Secure Updates has been removed or broken or, at a minimum, document and implement a procedure to review the diagnostic logs on a routine basis every day.

b
A unique Transaction Signature (TSIG) key must be generated for each pair of communicating hosts.
IA-5 - Medium - CCI-000186 - V-259410 - SV-259410r961863_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
WDNS-22-000090
Vuln IDs
  • V-259410
Rule IDs
  • SV-259410r961863_rule
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key also can be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string generated by most key generation utilities used with DNSSEC is Base64 encoded. TSIG is a string used to generate the message authentication hash stored in a TSIG Resource Record (RR) and used to authenticate an entire DNS message.
Checks: C-63149r939933_chk

Review the DNS implementation. Verify that each pair of communicating hosts has a unique TSIG key (i.e., a separate key for each secondary name server to authenticate transactions with the primary name server, etc.). If a unique TSIG key has not been generated for each pair of communicating hosts, this is a finding.

Fix: F-63057r939934_fix

Regenerate a unique TSIG key for each pair of communicating hosts within the DNS architecture.

b
The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
MA-4 - Medium - CCI-000877 - V-259411 - SV-259411r961062_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-000877
Version
WDNS-22-000092
Vuln IDs
  • V-259411
Rule IDs
  • SV-259411r961062_rule
If unauthorized personnel use maintenance tools, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. Nonlocal maintenance and diagnostic activities are conducted by individuals communicating through an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, public key infrastructure (PKI) where certificates are stored on a token protected by a password, passphrase, or biometric. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping", "ls", or "ipconfig" or the hardware and software implementing the monitoring port of an Ethernet switch). Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and enforce the organization's security policy. Authorization for access to any network element requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following: (i) something the user knows (e.g., password/PIN); (ii) something the user has (e.g., cryptographic identification device, token); or (iii) something the user is (e.g., biometric).
Checks: C-63150r939936_chk

Review the DNS implementation's authentication methods and settings to determine if multifactor authentication is used to gain nonlocal access for maintenance and diagnostics. If multifactor authentication is not used, this is a finding.

Fix: F-63058r939937_fix

Configure the DNS system to use multifactor authentication for nonlocal access for maintenance and diagnostics.

b
In the event of a system failure, the Windows DNS Server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
SC-24 - Medium - CCI-001665 - V-259412 - SV-259412r961125_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001665
Version
WDNS-22-000094
Vuln IDs
  • V-259412
Rule IDs
  • SV-259412r961125_rule
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes.
Checks: C-63151r939939_chk

Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access &gt;&gt; File System - Failure

Fix: F-63059r939940_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System with "Failure" selected.

b
The DNS Name Server software must run with restricted privileges.
CM-6 - Medium - CCI-000366 - V-259413 - SV-259413r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000102
Vuln IDs
  • V-259413
Rule IDs
  • SV-259413r961863_rule
Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). If the name server software is run as a privileged user (e.g., root in Unix systems), any break-in into the software can have disastrous consequences in terms of resources resident in the name server platform. Specifically, a hacker who breaks into the software acquires unrestricted access and therefore can execute any commands or modify or delete any files. It is necessary to run the name server software as a nonprivileged user with access restricted to specified directories to contain damages resulting from break-in.
Checks: C-63152r939942_chk

Review the account under which the DNS software is running and determine the permissions that account has been assigned. If the account under which the DNS software is running has not been restricted to the least privileged permissions required for the purpose of running the software, this is a finding.

Fix: F-63060r939943_fix

Configure the permissions of the account being used to run the DNS software to have the least privileges required to run the DNS software.

b
The private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
CM-6 - Medium - CCI-000366 - V-259414 - SV-259414r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000107
Vuln IDs
  • V-259414
Rule IDs
  • SV-259414r961863_rule
The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. This strategy is not feasible in situations in which the DNSSEC-aware name server must support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) must have both the zone file master copy and the private key corresponding to the zone signing key (ZSK-private) online to immediately update the signatures for the updated Resource Record Sets. The private key corresponding to the key signing key (KSK-private) can still be kept offline.
Checks: C-63153r939945_chk

Review the DNS name server and documentation to determine if it accepts dynamic updates. If dynamic updates are not accepted, verify the private keys corresponding to both the ZSK and KSK are not located on the name server. If the private keys to the ZSK and/or the KSK are located on the name server, this is a finding.

Fix: F-63061r939946_fix

Store the private keys of the ZSK and KSK offline in an encrypted file system.

b
The Windows DNS Server audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
AU-9 - Medium - CCI-001348 - V-259415 - SV-259415r960948_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
WDNS-22-000115
Vuln IDs
  • V-259415
Rule IDs
  • SV-259415r960948_rule
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto media separate from the system being audited on a defined frequency helps to ensure the audit records will be retained in the event of a catastrophic system failure. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement applies only to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions.
Checks: C-63154r945366_chk

Consult with the system administrator to determine the backup policy in place for Windows DNS Server. Review the backup methods used and determine if the backup's methods have been successful at backing up the audit records at least every seven days. If the organization does not have a backup policy in place for backing up the Windows DNS Server's audit records and/or the backup methods have not been successful at backing up the audit records at least every seven days, this is a finding.

Fix: F-63062r939949_fix

Document and implement a backup policy to back up the DNS server's audit records at least every seven days.

b
In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
CM-6 - Medium - CCI-000366 - V-259416 - SV-259416r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WDNS-22-000119
Vuln IDs
  • V-259416
Rule IDs
  • SV-259416r961863_rule
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve resource records (RRs) pertaining to hosts with public services (web servers that serve external web pages or provide business-to-consumer services, mail servers, etc.). The other set, called internal name servers, is to be located within the firewall and should be configured so the servers are not reachable from outside and hence provide naming services exclusively to internal clients.
Checks: C-63155r939951_chk

Consult with the system administrator to review the internal Windows DNS Server's firewall policy. The inbound TCP and UDP ports 53 rule should be configured to only allow hosts from the internal network to query the internal DNS server. If the firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall. If neither the DNS server's firewall policy nor the network firewall is configured to block external hosts from querying the internal DNS server, this is a finding.

Fix: F-63063r939952_fix

Configure the internal DNS server's firewall policy, or the network firewall, to block queries from external hosts.

b
Windows DNS response rate limiting (RRL) must be enabled.
SC-5 - Medium - CCI-001095 - V-259417 - SV-259417r961155_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
WDNS-22-000120
Vuln IDs
  • V-259417
Rule IDs
  • SV-259417r961155_rule
This setting can prevent someone from sending a denial-of-service attack using the DNS servers. For instance, a bot net can send requests to the DNS server using the IP address of a third computer as the requestor. Without RRL, the DNS servers might respond to all the requests, flooding the third computer.
Checks: C-63156r939954_chk

As an administrator, run PowerShell and enter the following command: "Get-DnsServerResponseRateLimiting". If "Mode" is not set to "Enable", this is a finding.

Fix: F-63064r939955_fix

As an administrator, run PowerShell and enter the command "Set-DnsServerResponseRateLimiting" to apply default values or "Set-DnsServerResponseRateLimiting -WindowInSec 7 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8". These settings are just an example. For more information, go to: https://learn.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverresponseratelimiting?view=windowsserver2022-ps