From Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide
Part of SRG-APP-000383-DNS-000047
Associated with: CCI-000366
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to non-existent hosts (which constitutes a denial of service), or, worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords.
Note: If the Windows DNS server is in the classified network, this check is Not Applicable. Note: In Windows 2008 DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable forwarders. If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled. Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”. Click on the “Forwarders” tab. If forwarders are not being used, this is not applicable. Review the IP address(es) for the forwarder(s) use. If the DNS Server does not forward to another DoD-managed DNS server or to the DoD Enterprise Recursive Services (ERS), this is a finding. If the "Use root hints if no forwarders are available" is selected, this is a finding.
Log on to the DNS server using the Domain Admin or Enterprise Admin account. Press Windows Key + R, execute dnsmgmt.msc. On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”. Click on the “Forwarders” tab. Replace the forwarders being used with another DoD-managed DNS server or the DoD Enterprise Recursive Services (ERS). Deselect the "Use root hints if no forwarders are available".
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer