From Microsoft Windows 2008 Server Domain Name System Security Technical Implementation Guide
Part of SRG-APP-000218-DNS-000027
Associated with: CCI-000366
In addition to network-based separation, authoritative name servers should be dispersed geographically as well. In other words, in addition to being located on different network segments, the authoritative name servers should not all be located within the same building. One approach that some organizations follow is to locate some authoritative name servers in their own premises and others in their ISPs' data centers or in partnering organizations.
Windows 2008 DNS Servers that are Active Directory integrated must be located where required to meet the Active Directory services. If all of the Windows 2008 DNS Servers are AD integrated, this check is Not Applicable. If any or all of the Windows 2008 DNS Servers are standalone and non-AD-integrated, verify with the System Administrator their geographic location. If any or all of the authoritative name servers are located in the same building as the master authoritative name server, and the master authoritative name server is not "hidden", this is a finding.
For non-AD-integrated Windows 2008 DNS servers, distribute secondary authoritative servers to be located in different buildings from the primary authoritative server.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer