Skip to content
Log In

Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000214-DNS-000079

    Group
    Show

  • SRG-APP-000218-DNS-000027

    Group
    Show

  • The Windows DNS name servers for a zone must be geographically dispersed.

    In addition to network-based separation, authoritative name servers should be dispersed geographically. In other words, in addition to being located on different network segments, the authoritative...
    Rule Medium Severity
    Show

  • SRG-APP-000383-DNS-000047

    Group
    Show

  • SRG-APP-000383-DNS-000047

    Group
    Show

  • SRG-APP-000383-DNS-000047

    Group
    Show

  • The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.

    A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers tha...
    Rule High Severity
    Show

  • SRG-APP-000440-DNS-000065

    Group
    Show

  • The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission.

    Encrypting information for transmission protects it from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, crypto...
    Rule Medium Severity
    Show

  • SRG-APP-000516-DNS-000078

    Group
    Show

  • The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.

    The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the parent zone. This strategy limits the time during w...
    Rule Medium Severity
    Show

  • SRG-APP-000516-DNS-000084

    Group
    Show

  • SRG-APP-000516-DNS-000085

    Group
    Show

  • The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record.

    Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly speci...
    Rule High Severity
    Show

  • SRG-APP-000516-DNS-000087

    Group
    Show

  • All authoritative name servers for a zone must be located on different network segments.

    Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on diffe...
    Rule Medium Severity
    Show

  • SRG-APP-000516-DNS-000088

    Group
    Show

  • SRG-APP-000516-DNS-000089

    Group
    Show

  • SRG-APP-000516-DNS-000090

    Group
    Show

  • The digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.

    The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: - Digi...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules