Microsoft Windows 2012 Server Domain Name System STIG:
(in versions v2 r5 through v1 r13)
The Windows DNS name servers for a zone must be geographically dispersed. (Cat II impact)
In addition to network-based separation, authoritative name servers should be dispersed geographically as well. In other words, in addition to being located on different network segments, the authoritative name servers should not all be located within the same building. One approach that some organizations follow is to locate some authoritative name servers in their own premises and others in their ISPs' data centers or in partnering organizations. A network administrator may choose to use a "hidden" master authoritative server and only have secondary servers visible on the network. A hidden master authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. If the master authoritative name server is "hidden", a secondary authoritative name server may reside in the same building as the hidden master.
Windows DNS Servers that are Active Directory integrated must be located where required to meet the Active Directory services. If all of the Windows DNS Servers are AD integrated, this check is Not Applicable. If any or all of the Windows DNS Servers are standalone and non-AD-integrated, verify with the System Administrator their geographic location. If any or all of the authoritative name servers are located in the same building as the master authoritative name server, and the master authoritative name server is not "hidden", this is a finding.
For non-AD-integrated Windows DNS Servers, distribute secondary authoritative servers to be located in different buildings from the primary authoritative server.
Rule ID: SV-228571r561297_rule
Vulnerability ID: V-228571
Group Title: SRG-APP-000218-DNS-000027
The organization implements the security configuration settings.