| V-259334 | | The Windows DNS Server must restrict incoming dynamic update requests to known clients. | Limiting the number of concurrent sessions reduces the risk of denial of service (DoS) on any system.
A DNS server's function requires it to be able ... |
| V-259335 | | The Windows DNS Server must be configured to record who added/modified/deleted DNS zone information. | Without a means for identifying the individual that produced the information, the information cannot be relied on. Identifying the validity of informa... |
| V-259336 | | The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity. | Failing to act on validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieve... |
| V-259337 | | The Windows DNS Server log must be enabled. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-259338 | | The "Manage auditing and security log" user right must be assigned only to authorized personnel. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-259339 | | The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) Resource Record (RR) for a zone's delegated children must be no less than two days and no more than one week. | The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the pare... |
| V-259340 | | The Windows DNS name servers for a zone must be geographically dispersed. | In addition to network-based separation, authoritative name servers should be dispersed geographically. In other words, in addition to being located o... |
| V-259341 | | The Windows DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries. | A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-... |
| V-259342 | | Forwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS). | A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-... |
| V-259344 | | The Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission. | Encrypting information for transmission protects it from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect inf... |
| V-259345 | | The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week. | The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and the pare... |
| V-259346 | | NSEC3 must be used for all internal DNS zones. | NSEC records list the resource record types for the name, as well as the name of the next resource record. This information reveals that the resource ... |
| V-259348 | | All authoritative name servers for a zone must be located on different network segments. | Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative nam... |
| V-259349 | | All authoritative name servers for a zone must have the same version of zone information. | The only protection approach for content control of a DNS zone file is the use of a zone file integrity checker. The effectiveness of integrity checki... |
| V-259351 | | The digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible. | The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FI... |
| V-259352 | | For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts. | Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients.
External clients need to... |
| V-259353 | | In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. | Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authorit... |
| V-259354 | | Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. | Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control substatement designating the l... |
| V-259355 | | The Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator. | Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should... |
| V-259356 | | The Windows DNS Server must implement internal/external role separation. | DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers wit... |
| V-259357 | | The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain. | All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrast... |
| V-259358 | | The Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone. | If a name server could claim authority for a resource record in a domain for which it was not authoritative, this would pose a security risk. In this ... |
| V-259359 | | The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months. | The use of CNAME records for exercises, tests, or zone-spanning (pointing to zones with lesser security) aliases should be temporary (e.g., to facilit... |
| V-259360 | | Nonroutable IPv6 link-local scope addresses must not be configured in any zone. | IPv6 link-local scope addresses are not globally routable and must not be configured in any DNS zone. Like RFC1918 addresses, if a link-local scope ad... |
| V-259361 | | AAAA addresses must not be configured in a zone for hosts that are not dual stack. | DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IP... |
| V-259363 | | The Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-ser... |
| V-259364 | | The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers. | Authenticity of zone transfers within Windows Active Directory (AD)-integrated zones is accomplished by AD replication. Without authenticating devices... |
| V-259365 | | The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers. | Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from cli... |
| V-259366 | | The Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0). | Weakly bound credentials can be modified without invalidating the credential; therefore, nonrepudiation can be violated.
This requirement supports au... |
| V-259367 | | The Windows DNS Server must be configured to enforce authorized access to the corresponding private key. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compr... |
| V-259368 | | The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run. | To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The... |
| V-259369 | | The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software. | To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The... |
| V-259370 | | The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates. | The private keys in the key signing key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be st... |
| V-259371 | | The Windows DNS Server must implement a local cache of revocation data for PKI authentication. | Not configuring a local cache of revocation data could allow access to users who are no longer authorized (users with revoked certificates).
SIG(0) i... |
| V-259372 | | The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed. | NSEC records list the resource record types for the name, as well as the name of the next resource record. With this information it is revealed that t... |
| V-259373 | | The Windows DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries. | The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data... |
| V-259374 | | The Windows DNS Server's IP address must be statically defined and configured locally on the server. | The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC i... |
| V-259375 | | The Windows DNS Server must return data information in response to internal name/address resolution queries. | The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC i... |
| V-259376 | | The Windows DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers. | The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC i... |
| V-259377 | | WINS lookups must be disabled on the Windows DNS Server. | The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC i... |
| V-259378 | | The Windows DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers. | The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC i... |
| V-259379 | | The Windows DNS Server must be configured with the Delegation Signer (DS) Resource Records (RR) carrying the signature for the RR that contains the public key of the child zone. | If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the pres... |
| V-259380 | | The Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet). | A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is ... |
| V-259381 | | The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain. | The NRPT is used to require DNSSEC validation. The NRPT can be configured in local Group Policy for a single computer or domain Group Policy for some ... |
| V-259382 | | The Windows DNS Server must be configured to validate an authentication chain of parent and child domains via response data. | If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the pres... |
| V-259383 | | Trust anchors must be exported from authoritative Windows DNS Servers and distributed to validating Windows DNS Servers. | If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the pres... |
| V-259384 | | Automatic Update of Trust Anchors must be enabled on key rollover. | A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchor... |
| V-259385 | | The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-259386 | | The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-259387 | | The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-259388 | | The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-259389 | | The Windows DNS Server must protect the authenticity of zone transfers via transaction signing. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-ser... |
| V-259391 | | The Windows DNS Server must protect the authenticity of query responses via DNSSEC. | The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data... |
| V-259392 | | The Windows DNS Server must use an approved DOD PKI certificate authority. | Untrusted certificate authorities (CA) can issue certificates, but the certificates may be issued by organizations or individuals that seek to comprom... |
| V-259393 | | The Windows DNS Server must protect secret/private cryptographic keys while at rest. | Information at rest refers to the state of information when it is located on a secondary storage device within an organizational information system. M... |
| V-259394 | | The Windows DNS Server must only contain zone records that have been validated annually. | If zone information has not been validated in more than a year, there is no assurance that it is still valid. If invalid records are in a zone, an adv... |
| V-259395 | | The Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems. | Applications and application developers must take steps to ensure users cannot use an authorized application to launch DoS attacks against other syste... |
| V-259396 | | The Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload. | In the case of application DoS attacks, care must be taken when designing the application to ensure it makes the best use of system resources. SQL que... |
| V-259398 | | The Windows DNS Server must maintain the integrity of information during preparation for transmission. | Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregatio... |
| V-259399 | | The Windows DNS Server must maintain the integrity of information during reception. | Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregatio... |
| V-259400 | | The Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographi... |
| V-259401 | | The Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions. | DNS zone data for which a Windows DNS Server is authoritative should represent the network for which it is responsible. If a Windows DNS Server hosts ... |
| V-259402 | | The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality. | Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, l... |
| V-259403 | | The DNS Name Server software must be configured to refuse queries for its version information. | Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because... |
| V-259404 | | The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA. | Several types of resource records (RRs) in the DNS are meant to convey information to humans and applications about the network, hosts, or services. T... |
| V-259405 | | The Windows DNS Server must, when a component failure is detected, activate a notification to the system administrator. | Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fa... |
| V-259406 | | The Windows DNS Server must verify the correct operation of security functions upon startup and/or restart, upon command by a user with privileged access, and/or every 30 days. | Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy... |
| V-259407 | | The Windows DNS Server must verify the correct operation of security functions upon system startup and/or restart, upon command by a user with privileged access, and/or every 30 days. | Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy... |
| V-259408 | | The Windows DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered. | Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy... |
| V-259409 | | The Windows DNS Server must be configured to notify the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator when functionality of DNSSEC/TSIG has been removed or broken. | Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy... |
| V-259410 | | A unique Transaction Signature (TSIG) key must be generated for each pair of communicating hosts. | To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The... |
| V-259411 | | The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. | If unauthorized personnel use maintenance tools, they may accidentally or intentionally damage or compromise the system. The act of managing systems a... |
| V-259412 | | In the event of a system failure, the Windows DNS Server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. | Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure s... |
| V-259413 | | The DNS Name Server software must run with restricted privileges. | Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall securi... |
| V-259414 | | The private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates. | The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with... |
| V-259415 | | The Windows DNS Server audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited. | Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto media se... |
| V-259416 | | In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. | Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authorit... |
| V-259417 | | Windows DNS response rate limiting (RRL) must be enabled. | This setting can prevent someone from sending a denial-of-service attack using the DNS servers. For instance, a bot net can send requests to the DNS s... |
| V-259343 | | The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients. | A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-... |
| V-259347 | | The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record. | Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing author... |
| V-259350 | | The Windows DNS Server must be configured to enable DNSSEC Resource Records (RRs). | The specification for a digital signature mechanism in the context of the DNS infrastructure is in the Internet Engineering Task Force's (IETF's) DNSS... |
| V-259390 | | The Windows DNS Server must protect the authenticity of dynamic updates via transaction signing. | DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication session... |
| V-259397 | | The Windows DNS Server must protect the integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
