STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:SV-215622r561297_rule
V-215622
SRG-APP-000423-DNS-000056
WDNS-SC-000014
CAT II
10
Sign, or re-sign, the hosted zone(s) on the DNS server being validated.
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.
Press Windows Key + R, execute dnsmgmt.msc.
On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.
From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click Sign the Zone, either using approved saved parameters or approved custom parameters.
Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.
Validate this check from either a Windows 8 client or a Windows 2008 or higher server, authenticated as a Domain Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 8/Windows 2008 or higher client.
Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)
resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter>
NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.
The result should show the "A" record results.
In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:
Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}
Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###
If the results do not show the RRSIG and signature information, this is a finding.
V-215622
False
WDNS-SC-000014
Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.
Validate this check from either a Windows 8 client or a Windows 2008 or higher server, authenticated as a Domain Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 8/Windows 2008 or higher client.
Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)
resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter>
NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.
The result should show the "A" record results.
In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:
Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}
Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###
If the results do not show the RRSIG and signature information, this is a finding.
M
4016