Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the parent zone. This strategy limits the time during w...Rule Medium Severity -
SRG-APP-000516-DNS-000084
Group -
SRG-APP-000516-DNS-000085
Group -
The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly speci...Rule High Severity -
SRG-APP-000516-DNS-000087
Group -
All authoritative name servers for a zone must be located on different network segments.
Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on diffe...Rule Medium Severity -
SRG-APP-000516-DNS-000088
Group -
SRG-APP-000516-DNS-000089
Group -
SRG-APP-000516-DNS-000090
Group -
The digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: - Digi...Rule Medium Severity -
SRG-APP-000516-DNS-000091
Group -
For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.
Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. External clients need to receive RRs that pertain only to public servic...Rule Medium Severity -
SRG-APP-000516-DNS-000092
Group -
In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external ...Rule Medium Severity -
SRG-APP-000516-DNS-000095
Group -
SRG-APP-000215-DNS-000026
Group -
SRG-APP-000516-DNS-000099
Group -
SRG-APP-000516-DNS-000101
Group -
The Windows DNS Server must implement internal/external role separation.
DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address re...Rule Medium Severity -
SRG-APP-000516-DNS-000102
Group -
The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to ...Rule Medium Severity -
SRG-APP-000516-DNS-000113
Group -
SRG-APP-000516-DNS-000114
Group -
The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
The use of CNAME records for exercises, tests, or zone-spanning (pointing to zones with lesser security) aliases should be temporary (e.g., to facilitate a migration) and not be in place for more t...Rule Medium Severity -
SRG-APP-000516-DNS-000500
Group -
Nonroutable IPv6 link-local scope addresses must not be configured in any zone.
IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Like RFC1918 addresses, if a link-local scope address is inserted into a zone provided to clien...Rule Medium Severity -
SRG-APP-000516-DNS-000500
Group -
SRG-APP-000158-DNS-000015
Group -
The Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is pr...Rule Medium Severity -
SRG-APP-000394-DNS-000049
Group -
SRG-APP-000001-DNS-000001
Group -
SRG-APP-000347-DNS-000041
Group -
The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
Weakly bound credentials can be modified without invalidating the credential; therefore, nonrepudiation can be violated. This requirement supports audit requirements that provide organizational pe...Rule Medium Severity -
SRG-APP-000176-DNS-000017
Group -
The Windows DNS Server must be configured to enforce authorized access to the corresponding private key.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation ...Rule Medium Severity -
SRG-APP-000176-DNS-000018
Group -
The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key can also be used for securing other transa...Rule Medium Severity -
SRG-APP-000176-DNS-000019
Group -
SRG-APP-000176-DNS-000094
Group -
The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.
The private keys in the key signing key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-faci...Rule Medium Severity -
SRG-APP-000401-DNS-000051
Group -
The Windows DNS Server must implement a local cache of revocation data for PKI authentication.
Not configuring a local cache of revocation data could allow access to users who are no longer authorized (users with revoked certificates). SIG(0) is used for server-to-server authentication for ...Rule Medium Severity -
SRG-APP-000516-DNS-000077
Group -
The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.
NSEC records list the resource record types for the name, as well as the name of the next resource record. With this information it is revealed that the resource record type for the name queried, o...Rule Medium Severity -
SRG-APP-000213-DNS-000024
Group -
The Windows DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. The security objecti...Rule Medium Severity -
SRG-APP-000420-DNS-000053
Group -
SRG-APP-000420-DNS-000053
Group -
The Windows DNS Server must return data information in response to internal name/address resolution queries.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity -
SRG-APP-000421-DNS-000054
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.