Skip to content

The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.

An XCCDF Rule

Description

<VulnDiscussion>All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a noncaching server (as recommended), they can be configured to either return a referral to the root servers or refuse to answer the query. The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources fulfilling its intended purpose of answering authoritatively for its zone.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-259357r961863_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account.

Press the Windows key + R and execute "dnsmgmt.msc".

Right-click the DNS server and select "Properties".