| DISA_STIG_Microsoft_Windows_2012_Server_DNS_v2r7.audit from DISA Microsoft Windows 2012 Server Domain Name System v2r7 STIG | |
| WDNS-AC-000001 - The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients. | ACCESS CONTROL |
| WDNS-AU-000001 - The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| WDNS-AU-000003 - The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| WDNS-AU-000005 - The Windows 2012 DNS Server log must be enabled. | AUDIT AND ACCOUNTABILITY |
| WDNS-AU-000006 - The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions. | AUDIT AND ACCOUNTABILITY |
| WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| WDNS-AU-000016 - The Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited. | AUDIT AND ACCOUNTABILITY |
| WDNS-CM-000001 - The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000002 - The Windows DNS name servers for a zone must be geographically dispersed. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS). | CONFIGURATION MANAGEMENT |
| WDNS-CM-000005 - The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000006 - The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000007 - The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). | CONFIGURATION MANAGEMENT |
| WDNS-CM-000008 - The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000009 - NSEC3 must be used for all internal DNS zones. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000010 - The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000012 - All authoritative name servers for a zone must be located on different network segments. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000013 - All authoritative name servers for a zone must have the same version of zone information. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000014 - The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000015 - Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000016 - For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000017 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000018 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000019 - Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000020 - The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000021 - The Windows 2012 DNS Server must implement internal/external role separation. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000022 - The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000023 - The DNS name server software must be at the latest version. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000024 - The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000025 - The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000026 - Non-routable IPv6 link-local scope addresses must not be configured in any zone. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000027 - AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware. | CONFIGURATION MANAGEMENT |
| WDNS-CM-000029 - The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols. | CONFIGURATION MANAGEMENT |
| WDNS-CM-999999 - The Windows 2012 DNS Server must be a vendor supported release. | CONFIGURATION MANAGEMENT |
| WDNS-IA-000001 - The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt. | IDENTIFICATION AND AUTHENTICATION |
| WDNS-IA-000002 - The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction. | IDENTIFICATION AND AUTHENTICATION |
| WDNS-IA-000003 - The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers. | IDENTIFICATION AND AUTHENTICATION |
| WDNS-IA-000004 - The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers. | IDENTIFICATION AND AUTHENTICATION |
| WDNS-IA-000005 - The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0). | IDENTIFICATION AND AUTHENTICATION |
| WDNS-IA-000006 - The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key. | IDENTIFICATION AND AUTHENTICATION |
| WDNS-IA-000007 - The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run. | IDENTIFICATION AND AUTHENTICATION |
| WDNS-IA-000008 - The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software. | IDENTIFICATION AND AUTHENTICATION |
| WDNS-IA-000009 - The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates. | IDENTIFICATION AND AUTHENTICATION |
| WDNS-IA-000011 - The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible. | IDENTIFICATION AND AUTHENTICATION |
| WDNS-SC-000001 - The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000002 - The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000003 - The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000004 - The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
