Microsoft Windows 2012 Server Domain Name System STIG Version Comparison
Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide
Comparison
There are 5 differences between versions v2 r3 (July 23, 2021) (the "left" version) and v2 r5 (May 31, 2022) (the "right" version).
Check WDNS-CM-000028 was removed from the benchmark in the "right" version. The text below reflects the old wording.
This check's original form is available here.
Text Differences
Title
IPv6 protocol must be disabled unless the Windows 2012 DNS server is configured to answer for and hosting IPv6 AAAA records.
Check Content
Note: If the Windows 2012 DNS server is hosting IPv6 records, this requirement is not applicable. If the Windows 2012 DNS server is only hosting IPv4 records, this requirement must be met. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. From a command prompt, run regedit. In the User Account Control dialog box, click Continue. In Registry Editor, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \ Verify the value for “DisabledComponents” is “255 (0xff)”. If the “DisabledComponents” entry is nonexistent, this is a finding. If the “DisabledComponents” exists but is not set to “255 (0xff)”, and the DNS server is not hosting any AAAA records, this is a finding.
Discussion
To prevent the possibility of a denial of service in relation to an IPv4 DNS server trying to respond to IPv6 requests, the server should be configured not to listen on any of its IPv6 interfaces unless it does contain IPv6 AAAA resource records in one of the zones.
Fix
Log onto the DNS server. Access Group Policy Management. Edit Default Domain Policy, go to Computer Configuration >> Policies >> Administrative Templates >> Network >> IPv6 Configuration, Open IPv6 Configuration Policy and set on “Disable all IPv6 components”. As an alternative to using the GPO setting, the registry setting may also be altered directly to reflect: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \ Set the value for “DisabledComponents” to “255 (0xff)”.