WDNS-CM-000005 - The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.

Information

A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to non-existent hosts (which constitutes a denial of service), or, worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords.

To guard against poisoning, name servers specifically fulfilling the role of providing recursive query responses for external zones need to be segregated from name servers authoritative for internal zones.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure a local or network firewall to only allow specific IP addresses/ranges to send inbound TCP and UDP port 53 traffic to a DNS caching server.

Item Details

Audit Name: DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7

Category: CONFIGURATION MANAGEMENT

Plugin: Windows

Control ID: 7eed4871571c78d242c3b264d28538b5b70f21fd202644d367d03cb6c5b6b461

Detections

Analytics

WDNS-CM-000005 - The Windows 2012 DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.

Information

Solution

See Also

Item Details