STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.

DISA Rule

SV-215580r561297_rule

Vulnerability Number

V-215580

Group Title

SRG-APP-000516-DNS-000085

Rule Version

WDNS-CM-000010

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

If DNS servers are AD-integrated, troubleshoot and remedy the replication problem where the non-responsive name server is not getting updated.

If DNS servers are not AD-integrated, Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the NS records for the zone.

Select the NS record for the non-responsive name server and remove the record.

Check Contents

NOTE: This check is Not Applicable if Windows DNS server is only serving as a caching server and does not host any zones authoritatively.
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press “Windows Key + R”, execute “dnsmgmt.msc”.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the NS records for the zone.

Verify each of the name servers, represented by the NS records, is active.

At a command prompt on any system, type:

nslookup <enter>;

At the nslookup prompt, type:

server ###.###.###.### <enter>;
(where the ###.###.###.### is replaced by the IP of each NS record)

Enter a FQDN for a known host record in the zone.

If the NS server does not respond at all or responds with a non-authoritative answer, this is a finding.

Vulnerability Number

V-215580

Documentable

False

Rule Version

WDNS-CM-000010

Severity Override Guidance

NOTE: This check is Not Applicable if Windows DNS server is only serving as a caching server and does not host any zones authoritatively.
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press “Windows Key + R”, execute “dnsmgmt.msc”.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the NS records for the zone.

Verify each of the name servers, represented by the NS records, is active.

At a command prompt on any system, type:

nslookup <enter>;

At the nslookup prompt, type:

server ###.###.###.### <enter>;
(where the ###.###.###.### is replaced by the IP of each NS record)

Enter a FQDN for a known host record in the zone.

If the NS server does not respond at all or responds with a non-authoritative answer, this is a finding.

Check Content Reference

M

Target Key

4016

Comments