STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide

Version

V2R7

Benchmark ID

Microsoft_Windows_2012_Server_Domain_Name_System_STIG

Total Checks

82

Tags

windows

CAT I: 5CAT II: 77CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (82)

V-215573MEDIUMThe Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.V-215574MEDIUMForwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS).V-215575MEDIUMThe Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.V-215576MEDIUMThe Windows 2012 DNS Server with a caching name server role must be secured against pollution by ensuring the authenticity and integrity of queried records.V-215577MEDIUMThe Windows 2012 DNS Server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).V-215578MEDIUMThe validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.V-215579MEDIUMNSEC3 must be used for all internal DNS zones.V-215580HIGHThe Windows 2012 DNS Servers zone files must have NS records that point to active name servers authoritative for the domain specified in that record.V-215581MEDIUMAll authoritative name servers for a zone must be located on different network segments.V-215582MEDIUMAll authoritative name servers for a zone must have the same version of zone information.V-215583HIGHThe Windows 2012 DNS Server must be configured to enable DNSSEC Resource Records.V-215584MEDIUMDigital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.V-215585MEDIUMFor zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.V-215586MEDIUMIn a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.V-215587MEDIUMIn a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.V-215588MEDIUMPrimary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.V-215589MEDIUMThe Windows 2012 DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows 2012 DNS Server service account and/or the DNS database administrator.V-215590MEDIUMThe Windows 2012 DNS Server must implement internal/external role separation.V-215591MEDIUMThe Windows 2012 DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.V-215592MEDIUMThe DNS name server software must be at the latest version.V-215593MEDIUMThe Windows 2012 DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.V-215594MEDIUMThe Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months.V-215595MEDIUMNon-routable IPv6 link-local scope addresses must not be configured in any zone.V-215596MEDIUMAAAA addresses must not be configured in a zone for hosts that are not IPv6-aware.V-215598MEDIUMThe Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.V-215599MEDIUMThe Windows 2012 DNS Server must require devices to re-authenticate for each dynamic update request connection attempt.V-215600MEDIUMThe Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.V-215601MEDIUMThe secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.V-215602MEDIUMThe Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.V-215603MEDIUMThe Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).V-215604MEDIUMThe Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.V-215605MEDIUMThe Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.V-215606MEDIUMThe Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.V-215607MEDIUMThe private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.V-215608MEDIUMThe Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.V-215609MEDIUMThe salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely re-signed.V-215610MEDIUMThe Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.V-215611MEDIUMThe Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.V-215612MEDIUMThe Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries.V-215613MEDIUMThe Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.V-215614MEDIUMWINS lookups must be disabled on the Windows 2012 DNS Server.V-215615MEDIUMThe Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.V-215616MEDIUMThe Windows 2012 DNS Server must be configured with the DS RR carrying the signature for the RR that contains the public key of the child zone.V-215617MEDIUMThe Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet.V-215618MEDIUMThe Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.V-215619MEDIUMThe Windows 2012 DNS Server must be configured to validate an authentication chain of parent and child domains via response data.V-215620MEDIUMTrust anchors must be exported from authoritative Windows 2012 DNS Servers and distributed to validating Windows 2012 DNS Servers.V-215621MEDIUMAutomatic Update of Trust Anchors must be enabled on key rollover.V-215622MEDIUMThe Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.V-215623MEDIUMThe Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.V-215624MEDIUMThe Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.V-215625MEDIUMThe Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.V-215626MEDIUMThe Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing.V-215627HIGHThe Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing.V-215628MEDIUMThe Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC.V-215629MEDIUMThe Windows 2012 DNS Server must only allow the use of an approved DoD PKI-established certificate authorities for verification of the establishment of protected transactions.V-215630MEDIUMThe Windows 2012 DNS Server must protect secret/private cryptographic keys while at rest.V-215631HIGHThe Windows 2012 DNS Server must not contain zone records that have not been validated in over a year.V-215632MEDIUMThe Windows 2012 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems.V-215633MEDIUMThe Windows 2012 DNS Server must use DNS Notify to prevent denial of service through increase in workload.V-215634MEDIUMThe Windows 2012 DNS Server must protect the integrity of transmitted information.V-215635MEDIUMThe Windows 2012 DNS Server must maintain the integrity of information during preparation for transmission.V-215636MEDIUMThe Windows 2012 DNS Server must maintain the integrity of information during reception.V-215637MEDIUMThe Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.V-215638MEDIUMThe Windows 2012 DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, to include IP ranges and IP versions.V-215639MEDIUMThe Windows 2012 DNS Server must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.V-215640MEDIUMThe DNS Name Server software must be configured to refuse queries for its version information.V-215641MEDIUMThe HINFO, RP, TXT and LOC RR types must not be used in the zone SOA.V-215642MEDIUMThe Windows 2012 DNS Server must, when a component failure is detected, activate a notification to the system administrator.V-215643MEDIUMThe Windows 2012 DNS Server must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.V-215644MEDIUMThe Windows 2012 DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.V-215645MEDIUMThe Windows 2012 DNS Server must be configured to notify the ISSO/ISSM/DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.V-215647MEDIUMThe Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.V-215648MEDIUMThe Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.V-215649MEDIUMThe Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.V-215650MEDIUMThe Windows 2012 DNS Server log must be enabled.V-215651MEDIUMThe Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.V-215652MEDIUMThe Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM.V-215660MEDIUMThe Windows 2012 DNS Servers audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.V-215661MEDIUMThe validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.V-228571MEDIUMThe Windows DNS name servers for a zone must be geographically dispersed.V-264389HIGHThe Windows 2012 DNS Server must be a vendor supported release.