STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Domain Name System (DNS) Security Requirements Guide

V-205246

CAT II (Medium)

The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.

Rule ID

SV-205246r961863_rule

STIG

Domain Name System (DNS) Security Requirements Guide

Version

V4R2

CCIs

CCI-000366

Discussion

A hidden master authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. All of the name servers that do appear in the zone database as designated name servers get their zone data from the hidden master via a zone transfer request. In effect, all visible name servers are actually secondary slave servers. This prevents potential attackers from targeting the master name server because its IP address may not appear in the zone database.

Check Content

Check the DNS documentation to determine if a hidden master authoritative name server is being used. If a hidden master authoritative name server is being used, check the NS records for all zones for which that hidden name server is authoritative and confirm there is not any NS record for that hidden name server.

If any zone for which a hidden name server is authoritative has an NS record for that hidden name server, this is a finding.
If the DNS implementation does not include any hidden name servers, this is not applicable.

Fix Text

Remove, from all zones' configuration files, any NS RRs for hidden name servers.