STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.

DISA Rule

SV-215575r561297_rule

Vulnerability Number

V-215575

Group Title

SRG-APP-000383-DNS-000047

Rule Version

WDNS-CM-000005

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure a local or network firewall to only allow specific IP addresses/ranges to send inbound TCP and UDP port 53 traffic to a DNS caching server.

Check Contents

Note: If Windows DNS server is not serving in a caching role, this check is Not Applicable.
Verify the Windows DNS Server will only accept TCP and UDP port 53 traffic from specific IP addresses/ranges.

This can be configured via a local or network firewall.

If the caching name server is not restricted to answering queries from only specific networks, this is a finding.

Vulnerability Number

V-215575

Documentable

False

Rule Version

WDNS-CM-000005

Severity Override Guidance

Note: If Windows DNS server is not serving in a caching role, this check is Not Applicable.
Verify the Windows DNS Server will only accept TCP and UDP port 53 traffic from specific IP addresses/ranges.

This can be configured via a local or network firewall.

If the caching name server is not restricted to answering queries from only specific networks, this is a finding.

Check Content Reference

M

Target Key

4016

Comments