Skip to content

The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.

An XCCDF Rule

Description

<VulnDiscussion>A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service) or hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers specifically fulfilling the role of providing recursive query responses for external zones must be segregated from name servers authoritative for internal zones.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-259343r945244_rule
Severity
High
References
Updated



Remediation - Manual Procedure

Implement DNSSEC on all non-AD-integrated, standalone, caching Windows DNS Servers to ensure the caching server validates signed zones when resolving and caching.