STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

All authoritative name servers for a zone must be located on different network segments.

DISA Rule

SV-215581r561297_rule

Vulnerability Number

V-215581

Group Title

SRG-APP-000516-DNS-000087

Rule Version

WDNS-CM-000012

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

For non-AD-integrated Windows DNS Servers, distribute secondary authoritative servers on separate network segments from the primary authoritative server.

Check Contents

Windows DNS Servers that are Active Directory-integrated must be located where required to meet the Active Directory services.

If all of the Windows DNS Servers are AD-integrated, this check is not applicable.

If any or all of the Windows DNS Servers are stand-alone and non-AD-integrated, verify with the System Administrator their geographic dispersal.

If all of the authoritative name servers are located on the same network segment, and the master authoritative name server is not "hidden", this is a finding.

Vulnerability Number

V-215581

Documentable

False

Rule Version

WDNS-CM-000012

Severity Override Guidance

Windows DNS Servers that are Active Directory-integrated must be located where required to meet the Active Directory services.

If all of the Windows DNS Servers are AD-integrated, this check is not applicable.

If any or all of the Windows DNS Servers are stand-alone and non-AD-integrated, verify with the System Administrator their geographic dispersal.

If all of the authoritative name servers are located on the same network segment, and the master authoritative name server is not "hidden", this is a finding.

Check Content Reference

M

Target Key

4016

Comments