OpenControls Logo

STIG Viewer

The Windows DNS Server must maintain the integrity of information during reception.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-259399WDNS-22-000071SV-259399r961641_ruleCCI-002422medium
Description
Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
STIGDate
Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide2025-02-25

Details

Check Text (C-259399r961641_chk)

Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2022 10:22:28 PM Signed: 10/22/2022 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.

Fix Text (F-63046r945344_fix)

Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the Domain Admin or Enterprise Admin account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.