STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide

V-259636

CAT II (Medium)

The Exchange Edge server must point to a trusted list of DNS servers for external and internal resolution.

Rule ID

SV-259636r961587_rule

STIG

Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-002466

Discussion

To mitigate the risk of possible erroneous queries that may have been coopted by bad actors, the Exchange Edge server must use DNS servers that utilize DNSSEC to resolve external hosts and internal hosts before routing messages to the appropriate destination.

Check Content

Verify in the EDSP or consult with the appropriate personnel who manage DNS which servers to use for Internal and External DNS resolution. 

If the server is not multi-homed, this does not apply.

In Exchange Management Shell, run the following command:

Get-TransportService |Format-List *dns*

If "ExternalDNSAdapterEnabled : True", and no GUID exists, this is a finding.

If "ExternalDNSAdapterEnabled : False", and the property "ExternalDNSServers" is not populated with the documented trusted DNS servers for External DNS queries, this is a finding.

If "InternalDNSAdapterEnabled : True" and no GUID exists, this is a finding.

If "InternalDNSAdapterEnabled : False" and the property "InternalDNSServers" is not populated the documented trusted DNS servers for Internal DNS queries, this is a finding.

Fix Text

Verify in the EDSP or consult with the appropriate personnel who manage which DNS servers to use for Internal and External DNS resolution.

If a GUID for the External and Internal network adapters are applicable, then gather the values to populate the appropriate properties with the following commands:

netsh lan show interfaces

This will provide the adapters and the GUIDs for each. Identify the external and internal adapters for the Edge server.

Once gathered, run the following:

Set-TransportService -Identity <name of server> -ExternalDNSAdapterEnabled $true -ExternalDNSAdapterGuid <externalAdapterGUID> -InternalDNSAdapterEnabled $true -InternalDNSAdapterGuid <InternalAdapterGuid>

If the "ExternalDNSAdapterEnabled" or InternalDNSAdapterEnabled are set to false, use the following to set the DNS configuration:

Set-TransportService -Identity  <name of server> -InternalDNSServers @{add="Trusted DNS IP1","Trusted DNS IP2"}
Set-TransportService -Identity  <name of server> -ExternalDNSServers @{add="Trusted DNS IP1","Trusted DNS IP2"}