Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
SRG-APP-000516-DNS-000114
The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
An XCCDF Rule
Details
Profiles
Prose
The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
Medium Severity
<VulnDiscussion>The use of CNAME records for exercises, tests, or zone-spanning (pointing to zones with lesser security) aliases should be temporary (e.g., to facilitate a migration) and not be in place for more than six months. When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is defined and the zone authoritative for the alias's canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. In the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers, which compounds the vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>