Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000001-DNS-000115
Group -
The Windows DNS Server must restrict incoming dynamic update requests to known clients.
Limiting the number of concurrent sessions reduces the risk of denial of service (DoS) on any system. A DNS server's function requires it to be able to handle multiple sessions at a time, so limit...Rule Medium Severity -
The Windows DNS Server must be configured to record who added/modified/deleted DNS zone information.
Without a means for identifying the individual that produced the information, the information cannot be relied on. Identifying the validity of information may be delayed or deterred. This requirem...Rule Medium Severity -
The "Manage auditing and security log" user right must be assigned only to authorized personnel.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual...Rule Medium Severity -
The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) Resource Record (RR) for a zone's delegated children must be no less than two days and no more than one week.
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the parent zone. This strategy limits the time during w...Rule Medium Severity -
The Windows DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers tha...Rule Medium Severity -
Forwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS).
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers tha...Rule Medium Severity -
NSEC3 must be used for all internal DNS zones.
NSEC records list the resource record types for the name, as well as the name of the next resource record. This information reveals that the resource record type for the name queried, or the resour...Rule Medium Severity -
All authoritative name servers for a zone must have the same version of zone information.
The only protection approach for content control of a DNS zone file is the use of a zone file integrity checker. The effectiveness of integrity checking using a zone file integrity checker depends ...Rule Medium Severity -
The Windows DNS Server must be configured to enable DNSSEC Resource Records (RRs).
The specification for a digital signature mechanism in the context of the DNS infrastructure is in the Internet Engineering Task Force's (IETF's) DNSSEC standard. In DNSSEC, trust in the public key...Rule High Severity -
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control substatement designating the list of hosts from which zone transfer requests ...Rule Medium Severity -
The Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator.
Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in whic...Rule Medium Severity -
The Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
If a name server could claim authority for a resource record in a domain for which it was not authoritative, this would pose a security risk. In this environment, an adversary could use illicit con...Rule Medium Severity -
AAAA addresses must not be configured in a zone for hosts that are not dual stack.
DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. A denial of s...Rule Medium Severity -
The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
Authenticity of zone transfers within Windows Active Directory (AD)-integrated zones is accomplished by AD replication. Without authenticating devices, unidentified or unknown devices may be introd...Rule Medium Severity -
The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Prima...Rule Medium Severity -
The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software.
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transa...Rule Medium Severity -
The Windows DNS Server's IP address must be statically defined and configured locally on the server.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity -
The Windows DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity -
The Windows DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity -
The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet).
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, ...Rule Medium Severity -
Automatic Update of Trust Anchors must be enabled on key rollover.
A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors to perform validation. If the DNS server is r...Rule Medium Severity -
The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
The Windows DNS Server must use an approved DOD PKI certificate authority.
Untrusted certificate authorities (CA) can issue certificates, but the certificates may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insuff...Rule Medium Severity -
The Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems.
Applications and application developers must take steps to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may ...Rule Medium Severity -
The Windows DNS Server must maintain the integrity of information during preparation for transmission.
Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and durin...Rule Medium Severity -
The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards appr...Rule Medium Severity -
The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.
Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system com...Rule Medium Severity -
The DNS Name Server software must be configured to refuse queries for its version information.
Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to address ...Rule Medium Severity -
The Windows DNS Server must verify the correct operation of security functions upon system startup and/or restart, upon command by a user with privileged access, and/or every 30 days.
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data ...Rule Medium Severity -
The Windows DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data ...Rule Medium Severity -
The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
If unauthorized personnel use maintenance tools, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access ...Rule Medium Severity -
SRG-APP-000348-DNS-000042
Group -
SRG-APP-000350-DNS-000044
Group -
The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity.
Failing to act on validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, using cryptographic checksums. ...Rule Medium Severity -
SRG-APP-000089-DNS-000004
Group -
The Windows DNS Server log must be enabled.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The actual...Rule Medium Severity -
SRG-APP-000516-DNS-000500
Group -
SRG-APP-000214-DNS-000079
Group -
SRG-APP-000218-DNS-000027
Group -
The Windows DNS name servers for a zone must be geographically dispersed.
In addition to network-based separation, authoritative name servers should be dispersed geographically. In other words, in addition to being located on different network segments, the authoritative...Rule Medium Severity -
SRG-APP-000383-DNS-000047
Group -
SRG-APP-000383-DNS-000047
Group -
SRG-APP-000383-DNS-000047
Group -
The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers tha...Rule High Severity -
SRG-APP-000440-DNS-000065
Group -
The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission.
Encrypting information for transmission protects it from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, crypto...Rule Medium Severity -
SRG-APP-000516-DNS-000078
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.