DISA Microsoft Windows 2012 Server DNS STIG v2r4

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Microsoft Windows 2012 Server DNS STIG v2r4

Updated: 4/12/2023

Authority: DISA STIG

Plugin: Windows

Revision: 1.3

Estimated Item Count: 87

Audit Items

DescriptionCategories
DISA_STIG_Windows_2012_Server_DNS_v2r4.audit from DISA Microsoft Windows 2012 Server Domain Name System v2r4 STIG
WDNS-AC-000001 - The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-AU-000001 - The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.

AUDIT AND ACCOUNTABILITY

WDNS-AU-000003 - The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
WDNS-AU-000005 - The Windows 2012 DNS Server log must be enabled.

AUDIT AND ACCOUNTABILITY

WDNS-AU-000006 - The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.

AUDIT AND ACCOUNTABILITY

WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM - manage

ACCESS CONTROL

WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM - permissions

AUDIT AND ACCOUNTABILITY

WDNS-AU-000016 - The Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
WDNS-CM-000001 - The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.

CONFIGURATION MANAGEMENT

WDNS-CM-000002 - The Windows DNS name servers for a zone must be geographically dispersed.
WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries - recursion

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries - root hints

CONFIGURATION MANAGEMENT

WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS) - forwarders

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS) - root hints

CONFIGURATION MANAGEMENT

WDNS-CM-000005 - The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000006 - The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.

CONFIGURATION MANAGEMENT

WDNS-CM-000007 - The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000008 - The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.

CONFIGURATION MANAGEMENT

WDNS-CM-000009 - NSEC3 must be used for all internal DNS zones.

CONFIGURATION MANAGEMENT

WDNS-CM-000010 - The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.

CONFIGURATION MANAGEMENT

WDNS-CM-000012 - All authoritative name servers for a zone must be located on different network segments.

CONFIGURATION MANAGEMENT

WDNS-CM-000013 - All authoritative name servers for a zone must have the same version of zone information.

CONFIGURATION MANAGEMENT

WDNS-CM-000014 - The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000015 - Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000016 - For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
WDNS-CM-000017 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
WDNS-CM-000018 - In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
WDNS-CM-000019 - Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-CM-000020 - The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.

ACCESS CONTROL

WDNS-CM-000021 - The Windows 2012 DNS Server must implement internal/external role separation.
WDNS-CM-000022 - The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.

CONFIGURATION MANAGEMENT

WDNS-CM-000023 - The DNS name server software must be at the latest version.
WDNS-CM-000024 - The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.

CONFIGURATION MANAGEMENT

WDNS-CM-000025 - The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.

CONFIGURATION MANAGEMENT

WDNS-CM-000026 - Non-routable IPv6 link-local scope addresses must not be configured in any zone.

CONFIGURATION MANAGEMENT

WDNS-CM-000027 - AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.

CONFIGURATION MANAGEMENT

WDNS-CM-000029 - The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.

CONFIGURATION MANAGEMENT

WDNS-IA-000001 - The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-IA-000002 - The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
WDNS-IA-000003 - The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-IA-000004 - The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-IA-000005 - The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).

SYSTEM AND COMMUNICATIONS PROTECTION

WDNS-IA-000006 - The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.

ACCESS CONTROL

WDNS-IA-000007 - The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.

ACCESS CONTROL

WDNS-IA-000008 - The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.

ACCESS CONTROL

WDNS-IA-000009 - The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.

CONFIGURATION MANAGEMENT

WDNS-IA-000011 - The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.
WDNS-SC-000001 - The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.

CONFIGURATION MANAGEMENT

WDNS-SC-000002 - The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.

SYSTEM AND COMMUNICATIONS PROTECTION