WDNS-CM-000019 - Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.

Information

Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control sub statement designating the list of hosts from which zone transfer requests can be accepted. These restrictions address the denial-of-service threat and potential exploits from unrestricted dissemination of information about internal resources. Based on the need-to-know, the only name servers that need to refresh their zone files periodically are the secondary name servers. Zone transfer from primary name servers should be restricted to secondary name servers. The zone transfer should be completely disabled in the secondary name servers. The address match list argument for the allow-transfer sub statement should consist of IP addresses of secondary name servers and stealth secondary name servers.

Solution

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Right-click the zone and select 'Properties'.

Select the 'Zone Transfers' tab.

Select the 'Only to servers listed on the Name Server tab' or 'Only to the following servers' check box or deselect the 'Allow zone transfers' check box.

Click 'OK'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_Server_DNS_V2R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-20, CAT|II, CCI|CCI-000366, Rule-ID|SV-215588r561297_rule, STIG-ID|WDNS-CM-000019, STIG-Legacy|SV-73039, STIG-Legacy|V-58609, Vuln-ID|V-215588

Plugin: Windows

Control ID: d429ffe70893b3d4edf4c52adba37a16eae66fda0ee9590bd571e54fae1397a8