| Checked | Name | Title |
|---|
| ☐ | SV-215573r561297_rule | The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries. |
| ☐ | SV-215574r561297_rule | Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS). |
| ☐ | SV-215575r561297_rule | The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients. |
| ☐ | SV-215576r561297_rule | The Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records. |
| ☐ | SV-215577r561297_rule | The Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). |
| ☐ | SV-215578r561297_rule | The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week. |
| ☐ | SV-215579r561297_rule | NSEC3 must be used for all internal DNS zones. |
| ☐ | SV-215580r561297_rule | The Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record. |
| ☐ | SV-215581r561297_rule | All authoritative name servers for a zone must be located on different network segments. |
| ☐ | SV-215582r561297_rule | All authoritative name servers for a zone must have the same version of zone information. |
| ☐ | SV-215583r561297_rule | The Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records. |
| ☐ | SV-215584r561297_rule | Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible. |
| ☐ | SV-215585r561297_rule | For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts. |
| ☐ | SV-215586r561297_rule | In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. |
| ☐ | SV-215587r561297_rule | In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. |
| ☐ | SV-215588r561297_rule | Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. |
| ☐ | SV-215589r561297_rule | The Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator. |
| ☐ | SV-215590r561297_rule | The Windows 2012 DNS Server must implement internal/external role separation. |
| ☐ | SV-215591r561297_rule | The Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain. |
| ☐ | SV-215592r561297_rule | The DNS name server software must be at the latest version. |
| ☐ | SV-215593r561297_rule | The Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone. |
| ☐ | SV-215594r561297_rule | The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months. |
| ☐ | SV-215595r561297_rule | Non-routable IPv6 link-local scope addresses must not be configured in any zone. |
| ☐ | SV-215596r561297_rule | AAAA addresses must not be configured in a zone for hosts that are not IPv6-aware. |
| ☐ | SV-215597r561297_rule | IPv6 protocol must be disabled unless the Windows 2012 DNS server is configured to answer for and hosting IPv6 AAAA records. |
| ☐ | SV-215598r561297_rule | The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols. |
| ☐ | SV-215599r561297_rule | The Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt. |
| ☐ | SV-215600r561297_rule | The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction. |
| ☐ | SV-215601r561297_rule | The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers. |
| ☐ | SV-215602r561297_rule | The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers. |
| ☐ | SV-215603r561297_rule | The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0). |
| ☐ | SV-215604r561297_rule | The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key. |
| ☐ | SV-215605r561297_rule | The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run. |
| ☐ | SV-215606r561297_rule | The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software. |
| ☐ | SV-215607r561297_rule | The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates. |
| ☐ | SV-215608r561297_rule | The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible. |
| ☐ | SV-215609r561297_rule | The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed. |
| ☐ | SV-215610r561297_rule | The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries. |
| ☐ | SV-215611r561297_rule | The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server. |
| ☐ | SV-215612r561297_rule | The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries. |
| ☐ | SV-215613r561297_rule | The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers. |
| ☐ | SV-215614r561297_rule | WINS lookups must be disabled on the Windows 2012 DNS Server. |
| ☐ | SV-215615r561297_rule | The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers. |
| ☐ | SV-215616r561297_rule | The Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone. |
| ☐ | SV-215617r561297_rule | The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet. |
| ☐ | SV-215618r561297_rule | The Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain. |
| ☐ | SV-215619r561297_rule | The Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data. |
| ☐ | SV-215620r561297_rule | Trust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers. |
| ☐ | SV-215621r561297_rule | Automatic Update of Trust Anchors must be enabled on key rollover. |
| ☐ | SV-215622r561297_rule | The Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution. |
| ☐ | SV-215623r561297_rule | The Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution. |
| ☐ | SV-215624r561297_rule | The Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers. |
| ☐ | SV-215625r561297_rule | The Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers. |
| ☐ | SV-215626r561297_rule | The Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing. |
| ☐ | SV-215627r561297_rule | The Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing. |
| ☐ | SV-215628r561297_rule | The Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC. |
| ☐ | SV-215629r561297_rule | The Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions. |
| ☐ | SV-215630r561297_rule | The Windows 2012 DNS Server must protect secret/private cryptographic keys while at rest. |
| ☐ | SV-215631r561297_rule | The Windows 2012 DNS Server must not contain zone records that have not been validated in over a year. |
| ☐ | SV-215632r561297_rule | The Windows 2012 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems. |
| ☐ | SV-215633r561297_rule | The Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload. |
| ☐ | SV-215634r561297_rule | The Windows 2012 DNS Server must protect the integrity of transmitted information. |
| ☐ | SV-215635r561297_rule | The Windows 2012 DNS Server must maintain the integrity of information during preparation for transmission. |
| ☐ | SV-215636r561297_rule | The Windows 2012 DNS Server must maintain the integrity of information during reception. |
| ☐ | SV-215637r561297_rule | The Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality. |
| ☐ | SV-215638r561297_rule | The Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions. |
| ☐ | SV-215639r561297_rule | The Windows 2012 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality. |
| ☐ | SV-215640r561297_rule | The DNS Name Server software must be configured to refuse queries for its version information. |
| ☐ | SV-215641r561297_rule | The HINFO, RP, TXT and LOC RR types must not be used in the zone SOA. |
| ☐ | SV-215642r561297_rule | The Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator. |
| ☐ | SV-215643r561297_rule | The Windows 2012 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days. |
| ☐ | SV-215644r561297_rule | The Windows 2012 DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered. |
| ☐ | SV-215645r561297_rule | The Windows 2012 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of DNSSEC/TSIG has been removed or broken. |
| ☐ | SV-215647r561297_rule | The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients. |
| ☐ | SV-215648r561297_rule | The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information. |
| ☐ | SV-215649r561297_rule | The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator. |
| ☐ | SV-215650r561297_rule | The Windows 2012 DNS Server log must be enabled. |
| ☐ | SV-215651r684253_rule | The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions. |
| ☐ | SV-215652r561297_rule | The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM. |
| ☐ | SV-215660r561297_rule | The Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited. |
| ☐ | SV-215661r561297_rule | The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week. |
| ☐ | SV-228571r561297_rule | The Windows DNS name servers for a zone must be geographically dispersed. |
STIGQter: STIG Summary: