From Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide
Part of SRG-APP-000383-DNS-000047
Associated with: CCI-000366
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to non-existent hosts (which constitutes a denial of service), or, worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords.
Verify the Windows 2008 DNS Server will only accept TCP and UDP port 53 traffic from specific IP addresses/ranges. This can be configured via a local or network firewall. If the caching name server is not restricted to answering queries from only specific networks, this is a finding.
Configure a local or network firewall to only allow specific IP addresses/ranges to send inbound TCP and UDP port 53 traffic to a DNS caching server.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer