The Windows DNS Server must protect the authenticity of dynamic updates via transaction signing.
An XCCDF Rule
Description
<VulnDiscussion>DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed. The combination of signing DNS zones by DNSSEC and requiring clients to send their dynamic updates securely ensures the authenticity of those DNS records when providing query responses for them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259390r945327_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Sign or re-sign the hosted zone(s) on the DNS server being validated.
Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator.
If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen.