Skip to content

The Windows DNS Server must protect the authenticity of dynamic updates via transaction signing.

An XCCDF Rule

Description

<VulnDiscussion>DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed. The combination of signing DNS zones by DNSSEC and requiring clients to send their dynamic updates securely ensures the authenticity of those DNS records when providing query responses for them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-259390r945327_rule
Severity
High
References
Updated



Remediation - Manual Procedure

Sign or re-sign the hosted zone(s) on the DNS server being validated.

Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator.

If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen.