STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.

DISA Rule

SV-215587r561297_rule

Vulnerability Number

V-215587

Group Title

SRG-APP-000516-DNS-000093

Rule Version

WDNS-CM-000018

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the internal DNS server's firewall policy, or the network firewall, to block queries from external hosts.

Check Contents

Consult with the System Administrator to review the internal Windows DNS Server's HBSS firewall policy.

The inbound TCP and UDP ports 53 rule should be configured to only allow hosts from the internal network to query the internal DNS server.

If the HBSS firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall.

If neither the DNS server's HBSS firewall policy nor the network firewall is configured to block external hosts from querying the internal DNS server, this is a finding.

In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments