Check: WDNS-CM-000003
Microsoft Windows 2012 Server Domain Name System STIG:
WDNS-CM-000003
(in versions v2 r7 through v2 r1)
Title
The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries. (Cat II impact)
Discussion
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to non-existent hosts (which constitutes a denial of service), or, worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation.
Check Content
Note: If the Windows DNS server is in the classified network, this check is Not Applicable. Note: In Windows DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable forwarders. If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled. The root hints configuration requirement is addressed in WDNS-CM-000004. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press Windows Key + R, execute dnsmgmt.msc. On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”. Click on the “Forwarders” tab. If forwarders are enabled and configured, this check is not applicable. If forwarders are not enabled, click on the “Advanced” tab and ensure the "Disable recursion (also disables forwarders)" check box is selected. If forwarders are not enabled and configured, and the "Disable recursion (also disables forwarders)" check box in the “Advanced” tab is not selected, this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press Windows Key + R, execute dnsmgmt.msc. On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”. Click on the “Forwarders” tab. If forwarders are not being used, click the “Advanced” tab. Select the "Disable recursion (also disables forwarders)" check box.
Additional Identifiers
Rule ID: SV-215573r961470_rule
Vulnerability ID: V-215573
Group Title: SRG-APP-000383-DNS-000047
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |