STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide

Version

V2R4

Benchmark ID

MS_Windows_Server_2022_DNS_STIG

Total Checks

81

Tags

windows

CAT I: 5CAT II: 76CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (81)

V-259334MEDIUMThe Windows DNS Server must restrict incoming dynamic update requests to known clients.V-259335MEDIUMThe Windows DNS Server must be configured to record who added/modified/deleted DNS zone information.V-259336MEDIUMThe Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity.V-259337MEDIUMThe Windows DNS Server log must be enabled.V-259338MEDIUMThe "Manage auditing and security log" user right must be assigned only to authorized personnel.V-259339MEDIUMThe validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) Resource Record (RR) for a zone's delegated children must be no less than two days and no more than one week.V-259340MEDIUMThe Windows DNS name servers for a zone must be geographically dispersed.V-259341MEDIUMThe Windows DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries.V-259342MEDIUMForwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS).V-259343HIGHThe Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.V-259344MEDIUMThe Windows DNS Server must implement cryptographic mechanisms to detect changes to information during transmission.V-259345MEDIUMThe validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.V-259346MEDIUMNSEC3 must be used for all internal DNS zones.V-259347HIGHThe Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record.V-259348MEDIUMAll authoritative name servers for a zone must be located on different network segments.V-259349MEDIUMAll authoritative name servers for a zone must have the same version of zone information.V-259350HIGHThe Windows DNS Server must be configured to enable DNSSEC Resource Records (RRs).V-259351MEDIUMThe digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.V-259352MEDIUMFor zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.V-259353MEDIUMIn a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.V-259354MEDIUMPrimary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.V-259355MEDIUMThe Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator.V-259356MEDIUMThe Windows DNS Server must implement internal/external role separation.V-259357MEDIUMThe Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.V-259358MEDIUMThe Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.V-259359MEDIUMThe Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.V-259360MEDIUMNonroutable IPv6 link-local scope addresses must not be configured in any zone.V-259361MEDIUMAAAA addresses must not be configured in a zone for hosts that are not dual stack.V-259363MEDIUMThe Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.V-259364MEDIUMThe secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.V-259365MEDIUMThe Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.V-259366MEDIUMThe Windows DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).V-259367MEDIUMThe Windows DNS Server must be configured to enforce authorized access to the corresponding private key.V-259368MEDIUMThe Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.V-259370MEDIUMThe private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.V-259371MEDIUMThe Windows DNS Server must implement a local cache of revocation data for PKI authentication.V-259372MEDIUMThe salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.V-259373MEDIUMThe Windows DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.V-259374MEDIUMThe Windows DNS Server's IP address must be statically defined and configured locally on the server.V-259375MEDIUMThe Windows DNS Server must return data information in response to internal name/address resolution queries.V-259376MEDIUMThe Windows DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers.V-259377MEDIUMWINS lookups must be disabled on the Windows DNS Server.V-259378MEDIUMThe Windows DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.V-259379MEDIUMThe Windows DNS Server must be configured with the Delegation Signer (DS) Resource Records (RR) carrying the signature for the RR that contains the public key of the child zone.V-259380MEDIUMThe Windows DNS Server must enforce approved authorizations between DNS servers using digital signatures in the Resource Record Set (RRSet).V-259381MEDIUMThe Name Resolution Policy Table (NRPT) must be configured in Group Policy to enforce clients to request DNSSEC validation for a domain.V-259382MEDIUMThe Windows DNS Server must be configured to validate an authentication chain of parent and child domains via response data.V-259383MEDIUMTrust anchors must be exported from authoritative Windows DNS Servers and distributed to validating Windows DNS Servers.V-259384MEDIUMAutomatic Update of Trust Anchors must be enabled on key rollover.V-259385MEDIUMThe Windows DNS secondary servers must request data origin authentication verification from the primary server when requesting name/address resolution.V-259386MEDIUMThe Windows DNS secondary server must request data integrity verification from the primary server when requesting name/address resolution.V-259387MEDIUMThe Windows DNS secondary server must validate data integrity verification on the name/address resolution responses received from primary name servers.V-259388MEDIUMThe Windows DNS secondary server must validate data origin verification authentication on the name/address resolution responses received from primary name servers.V-259389MEDIUMThe Windows DNS Server must protect the authenticity of zone transfers via transaction signing.V-259390HIGHThe Windows DNS Server must protect the authenticity of dynamic updates via transaction signing.V-259391MEDIUMThe Windows DNS Server must protect the authenticity of query responses via DNSSEC.V-259392MEDIUMThe Windows DNS Server must use an approved DOD PKI certificate authority.V-259393MEDIUMThe Windows DNS Server must protect secret/private cryptographic keys while at rest.V-259394MEDIUMThe Windows DNS Server must only contain zone records that have been validated annually.V-259395MEDIUMThe Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems.V-259396MEDIUMThe Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload.V-259397HIGHThe Windows DNS Server must protect the integrity of transmitted information.V-259398MEDIUMThe Windows DNS Server must maintain the integrity of information during preparation for transmission.V-259399MEDIUMThe Windows DNS Server must maintain the integrity of information during reception.V-259400MEDIUMThe Windows DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.V-259401MEDIUMThe Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions.V-259402MEDIUMThe Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.V-259403MEDIUMThe DNS Name Server software must be configured to refuse queries for its version information.V-259404MEDIUMThe HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA.V-259405MEDIUMThe Windows DNS Server must, when a component failure is detected, activate a notification to the system administrator.V-259406MEDIUMThe Windows DNS Server must verify the correct operation of security functions upon startup and/or restart, upon command by a user with privileged access, and/or every 30 days.V-259407MEDIUMThe Windows DNS Server must verify the correct operation of security functions upon system startup and/or restart, upon command by a user with privileged access, and/or every 30 days.V-259408MEDIUMThe Windows DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.V-259409MEDIUMThe Windows DNS Server must be configured to notify the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.V-259410MEDIUMA unique Transaction Signature (TSIG) key must be generated for each pair of communicating hosts.V-259411MEDIUMThe DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.V-259412MEDIUMIn the event of a system failure, the Windows DNS Server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.V-259414MEDIUMThe private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.V-259415MEDIUMThe Windows DNS Server audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.V-259416MEDIUMIn a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.V-259417MEDIUMWindows DNS response rate limiting (RRL) must be enabled.