Skip to content

The Windows DNS name servers for a zone must be geographically dispersed.

An XCCDF Rule

Description

<VulnDiscussion>In addition to network-based separation, authoritative name servers should be dispersed geographically. In other words, in addition to being located on different network segments, the authoritative name servers should not all be located in the same building. One approach is to locate some authoritative name servers in their own premises and others in their internet service provider's data centers or in partnering organizations. A network administrator may choose to use a "hidden" primary authoritative server and have only secondary servers visible on the network. A hidden primary authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. If the primary authoritative name server is hidden, a secondary authoritative name server may reside in the same building as the hidden primary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-259340r945239_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

For non-AD integrated Windows DNS Servers, distribute secondary authoritative servers to be in different buildings from the primary authoritative server.