STIGQter STIGQter: STIG Summary: Microsoft Windows 2008 Server Domain Name System Security Technical Implementation Guide

Version: 1

Release: 7 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-83199r1_ruleThe Windows 2008 DNS Server must restrict incoming dynamic update requests to known clients.
SV-83231r1_ruleThe Windows 2008 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
SV-83233r2_ruleThe Windows 2008 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
SV-83201r1_ruleThe Windows 2008 DNS Server log must be enabled.
SV-83203r2_ruleThe Windows 2008 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.
SV-83205r1_ruleThe Windows 2008 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
SV-83213r2_ruleThe Windows DNS name servers for a zone must be geographically dispersed.
SV-83235r1_ruleThe Windows 2008 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.
SV-83237r1_ruleForwarders on an authoritative Windows 2008 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).
SV-83239r2_ruleThe Windows 2008 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
SV-83255r3_ruleThe Windows 2008 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
SV-83271r1_ruleAll authoritative name servers for a zone must be located on different network segments.
SV-83273r1_ruleAll authoritative name servers for a zone must have the same version of zone information.
SV-83275r1_ruleFor zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
SV-83277r1_ruleIn a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
SV-83279r1_ruleIn a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
SV-83281r1_rulePrimary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
SV-83283r1_ruleThe Windows 2008 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2008 DNS Server service account and/or the DNS database administrator.
SV-83285r1_ruleThe Windows 2008 DNS Server must implement internal/external role separation.
SV-83287r1_ruleThe Windows 2008 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
SV-83289r1_ruleThe DNS name server software must be at the latest version.
SV-83291r1_ruleThe Windows 2008 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
SV-83293r1_ruleNon-routable IPv6 link-local scope addresses must not be configured in any zone.
SV-83295r1_ruleAAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.
SV-83297r3_ruleWhen IPv6 protocol is installed, the server must also be configured to answer for IPv6 AAAA records.
SV-83211r2_ruleThe Windows 2008 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
SV-83197r1_ruleThe Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
SV-83207r1_ruleThe Windows 2008 DNS Server must be configured to enforce authorized access to the corresponding private key.
SV-83209r2_ruleThe Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.
SV-83241r1_ruleThe Windows 2008 DNS Server must implement a local cache of revocation data for PKI authentication in the event revocation information via the network is not accessible.
SV-83243r2_ruleThe Windows 2008 DNS Servers IP address must be statically defined and configured locally on the server.
SV-83245r2_ruleWINS lookups must be disabled on the Windows 2008 DNS Server.
SV-83215r1_ruleThe Windows 2008 DNS Server must protect secret/private cryptographic keys while at rest.
SV-83247r1_ruleThe Windows 2008 DNS Server must not contain zone records that have not been validated in over a year.
SV-83217r1_ruleThe Windows 2008 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems.
SV-83219r1_ruleThe Windows 2008 DNS Server must use DNS Notify to prevent denial of service through increase in workload.
SV-83221r1_ruleThe Windows 2008 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.
SV-83249r2_ruleThe Windows 2008 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
SV-83223r2_ruleThe Windows 2008 DNS Server must, when a component failure is detected, activate a notification to the system administrator.
SV-83251r1_ruleThe Windows 2008 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.
SV-83225r1_ruleThe Windows 2008 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of Secure Updates has been removed or broken.
SV-83227r1_ruleThe DNS Name Server software must be configured to refuse queries for its version information.
SV-83229r1_ruleThe HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA.