Windows DNS response rate limiting (RRL) must be enabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-259417 | WDNS-22-000120 | SV-259417r961155_rule | CCI-001095 | medium |
| Description | ||||
| This setting can prevent someone from sending a denial-of-service attack using the DNS servers. For instance, a bot net can send requests to the DNS server using the IP address of a third computer as the requestor. Without RRL, the DNS servers might respond to all the requests, flooding the third computer. | ||||
| STIG | Date | |||
| Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide | 2025-02-25 | |||
Details
Check Text (C-259417r961155_chk)
As an administrator, run PowerShell and enter the following command:
"Get-DnsServerResponseRateLimiting".
If "Mode" is not set to "Enable", this is a finding.
Fix Text (F-63064r939955_fix)
As an administrator, run PowerShell and enter the command "Set-DnsServerResponseRateLimiting" to apply default values or "Set-DnsServerResponseRateLimiting -WindowInSec 7 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8".
These settings are just an example. For more information, go to:
https://learn.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverresponseratelimiting?view=windowsserver2022-ps