The DNS name server software must be at the latest version.

From Microsoft Windows 2008 Server Domain Name System Security Technical Implementation Guide

Part of SRG-APP-000516-DNS-000103

Associated with: CCI-000366

SV-83289r1_rule The DNS name server software must be at the latest version.

Vulnerability discussion

Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to take care of those vulnerabilities. These vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. It makes good business sense to run the latest version of name server software because theoretically it is the safest version. Even if the software is the latest version, it is not safe to run it in default mode. The security administrator should always configure the software to run in the recommended secure mode of operation after becoming familiar with the new security settings for the latest version.

Check content

Consult with the network IAVM scanner to confirm all Microsoft Operating System IAVMs applicable to Windows 2008/2008 R2 have been applied to the DNS server. If the Windows Operating System has not been patched to handle all IAVMs, this is a finding.

Fix text

Apply all related Microsoft Operating System IAVM patches to the DNS server.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer