StigData/Processed/WindowsDnsServer-2012R2-1.11.xml

<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Windows_2012_Server_Domain_Name_System_STIG" description="The Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_2012_Server_DNS_STIG_V1R11_Manual-xccdf.xml" releaseinfo="Release: 11 Benchmark Date: 25 Jan 2019" title="Microsoft Windows 2012 Server Domain Name System Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.11" created="2/1/2019">
  <DnsServerRootHintRule dscresourcemodule="PSDesiredStateConfiguration">
    <Rule id="V-58615" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000102" dscresource="Script">
      <HostName>$null</HostName>
      <IpAddress>$null</IpAddress>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: If the Windows DNS server is in the classified network, this check is Not Applicable.

Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select “Properties”.

Select the "Root Hints" tab.

Verify the "Root Hints" is either empty or only has entries for internal zones under "Name servers:". All Internet root server entries must be removed.

If "Root Hints" is not empty and the entries on the "Root Hints" tab under "Name servers:" are external to the local network, this is a finding.
</RawString>
    </Rule>
  </DnsServerRootHintRule>
  <DnsServerSettingRule dscresourcemodule="xDnsServer">
    <Rule id="V-58543" severity="medium" conversionstatus="pass" title="SRG-APP-000348-DNS-000042" dscresource="xDnsServerSetting">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <PropertyName>EventLogLevel</PropertyName>
      <PropertyValue>4</PropertyValue>
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select “Properties”.

Click on the “Event Logging” tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58579" severity="medium" conversionstatus="pass" title="SRG-APP-000383-DNS-000047" dscresource="xDnsServerSetting">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <PropertyName>NoRecursion</PropertyName>
      <PropertyValue>$True</PropertyValue>
      <RawString>Note: If the Windows DNS server is in the classified network, this check is Not Applicable.

Note: In Windows 2008 DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable forwarders.

If forwarders are not used, recursion must be disabled.

In both cases, the use of root hints must be disabled. The root hints configuration requirement is addressed in WDNS-CM-000004.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”.

Click on the “Forwarders” tab.

If forwarders are enabled and configured, this check is not applicable.

If forwarders are not enabled, click on the “Advanced” tab and ensure the "Disable recursion (also disables forwarders)" check box is selected.

If forwarders are not enabled and configured, and the "Disable recursion (also disables forwarders)" check box in the “Advanced” tab is not selected, this is a finding.
</RawString>
    </Rule>
  </DnsServerSettingRule>
  <DocumentRule dscresourcemodule="None">
    <Rule id="V-58547" severity="medium" conversionstatus="pass" title="SRG-APP-000350-DNS-000044" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Windows 2012 DNS servers, hosting Active Directory integrated zones, transfer zone information via AD replication. Windows 2012 DNS servers hosting non-AD-integrated zones as a secondary name server and/or are not hosting AD-integrated zones use zone transfer to sync zone data.

If the Windows 2012 DNS server only hosts AD-integrated zones and all other name servers for the zones hosted are Active Directory Domain Controllers, this requirement is not applicable.

If the Windows 2012 DNS server is not an Active Directory Domain Controller, or is a secondary name server for a zone with a non-AD-integrated name server as the master, this requirement is applicable.

Administrator notification is only possible if a third-party event monitoring system is configured or, at a minimum, there are documented procedures requiring the administrator to review the DNS logs on a routine, daily basis.

If a third-party event monitoring system is not configured, or a document procedure is not in place requiring the administrator to review the DNS logs on a routine, daily basis, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58549" severity="medium" conversionstatus="pass" title="SRG-APP-000089-DNS-000004 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select “Properties”.

Click on the “Event Logging” tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58561" severity="medium" conversionstatus="pass" title="SRG-APP-000095-DNS-000006 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

From the right pane, under the SERVERS section, right-click the DNS server.

From the displayed context menu, click the DNS Manager option.

Click on the Event Logging tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Confirm the "Enable logging" check box is selected.

If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58563" severity="medium" conversionstatus="pass" title="SRG-APP-000096-DNS-000007 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select Properties.

Click on the Event Logging tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Confirm the "Enable logging" check box is selected.

If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58565" severity="medium" conversionstatus="pass" title="SRG-APP-000097-DNS-000008 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select Properties.

Click on the Event Logging tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Confirm the "Enable logging" check box is selected.

If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58567" severity="medium" conversionstatus="pass" title="SRG-APP-000098-DNS-000009 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select Properties.

Click on the Event Logging tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Confirm the "Enable logging" check box is selected.

If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58569" severity="medium" conversionstatus="pass" title="SRG-APP-000099-DNS-000010 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select Properties.

Click on the Event Logging tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Confirm the "Enable logging" check box is selected.

If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58571" severity="medium" conversionstatus="pass" title="SRG-APP-000100-DNS-000011 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select Properties.

Click on the Event Logging tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Confirm the "Enable logging" check box is selected.

If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58581" severity="medium" conversionstatus="pass" title="SRG-APP-000383-DNS-000047 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: If the Windows DNS server is in the classified network, this check is Not Applicable.

Note: In Windows 2008 DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable forwarders.

If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”.

Click on the “Forwarders” tab.

If forwarders are not being used, this is not applicable.

Review the IP address(es) for the forwarder(s) use.

If the DNS Server does not forward to another DoD-managed DNS server or to the DoD Enterprise Recursive Services (ERS), this is a finding.

If the "Use root hints if no forwarders are available" is selected, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58619" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000113" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Confirm with the DNS administrator that the hosts defined in the zone files do not resolve to hosts in another zone with its fully qualified domain name.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. Additional exceptions are CNAME records in a multi-domain Active Directory environment pointing to hosts in other internal domains in the same multi-domain environment.

If resource records are maintained that resolve to a fully qualified domain name in another zone, and the usage is not for resource records resolving to hosts that are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with a documented and approved mission need, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58621" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000114" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the RRs to confirm that there are no CNAME records older than 6 months.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated (AO approval of use of a commercial cloud offering would satisfy this requirement). Additional exceptions are CNAME records in a multi-domain Active Directory environment pointing to hosts in other internal domains in the same multi-domain environment.

If there are zone-spanning CNAME records older than 6 months and the CNAME records resolve to anything other than fully qualified domain names for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with an AO-approved and documented mission need, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58645" severity="medium" conversionstatus="pass" title="SRG-APP-000176-DNS-000019 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Access Windows Explorer.

Navigate to the following location:
%ALLUSERSPROFILE%\Microsoft\Crypto

Verify the permissions on the folder, sub-folders and files are limited to “SYSTEM” and Administrators for “FULL CONTROL”.

If any other user or group has greater than Read/Execute and List Folder contents permissions to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders and files, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58649" severity="medium" conversionstatus="pass" title="SRG-APP-000401-DNS-000051" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Consult with the SA to determine if there is a third-party CRL server being used for certificate revocation lookup.

If there is, verify if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site.

If there is no local cache of revocation data, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58695" severity="medium" conversionstatus="pass" title="SRG-APP-000428-DNS-000061" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This requirement is not applicable for a Windows 2008 DNS Server which is only hosting AD-integrated zones.

For a Windows 2008 DNS Server which hosts a mix of AD-integrated zones and manually maintained zones, ask the DNS database administrator if they maintain a separate database with record documentation for the non-AD-integrated zone information. The reviewer should check that the record's last verified date is less than one year prior to the date of the review.

If a separate database with record documentation is not maintained for the non-AD-integrated zone information, this is a finding.

If a separate database with record documentation is maintained for the non-AD-integrated zone information, log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the zone records of the non-AD-integrated zones and compare to the separate documentation maintained.

Determine if any records have not been validated in over a year.

If zone records exist which have not been validated in over a year, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58709" severity="medium" conversionstatus="pass" title="SRG-APP-000451-DNS-000069" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Active Directory integrated DNS servers will handle the promotion of a secondary DNS server whenever a primary DNS server loses functionality.

If all of the DNS servers are AD-integrated, this is not a finding.

Consult with the System Administrator to determine if there are documented procedures for re-roling a non-AD-integrated secondary name server to a master name server role in the event a master name server loses functionality.

If there is not any documented procedures for re-roling a non-AD-integrated secondary name server to primary in the event a master name server loses functionality, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58711" severity="medium" conversionstatus="pass" title="SRG-APP-000268-DNS-000039" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Notification to system administrator is not configurable in Windows 2008. In order for system administrators to be notified when a component fails, the system administrator would need to implement a third-party monitoring system. At a minimum, the system administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day.

If a third-party monitoring system is not in place to detect and notify the system administrator upon component failures and the system administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58715" severity="medium" conversionstatus="pass" title="SRG-APP-000474-DNS-000073" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Notification to system administrator is not configurable in Windows 2012. In order for administrator to be notified if functionality of DNSSEC/TSIG has been removed or broken, the ISSO/ISSM/DNS administrator would need to implement a third-party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day.

If a third-party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of DNSSEC/TSIG has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58717" severity="medium" conversionstatus="pass" title="SRG-APP-000275-DNS-000040" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Notification to system administrator is not configurable in Windows 2008. In order for ISSO/ISSM/DNS administrator to be notified if functionality of Secure Updates has been removed or broken, the ISSO/ISSM/DNS administrator would need to implement a third party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day.

If a third party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of Secure Updates has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58719" severity="medium" conversionstatus="pass" title="SRG-APP-000504-DNS-000074 Duplicate" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

Right-click the DNS server, select Properties.

Click on the Event Logging tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run eventvwr.msc at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click Analytical and then click on Properties.

Confirm the "Enable logging" check box is selected.

If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.</RawString>
    </Rule>
  </DocumentRule>
  <ManualRule dscresourcemodule="None">
    <Rule id="V-58237" severity="medium" conversionstatus="pass" title="SRG-APP-000001-DNS-000115" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Once selected, right-click the name of the zone.

From the displayed context menu, click the “Properties” option.

On the opened domain's properties box, click the “General” tab.

Verify the Type: is Active Directory-Integrated.

Verify the Dynamic updates has "Secure only" selected.

If the zone is Active Directory-Integrated and the Dynamic updates are not configured for "Secure only", this is a finding.</RawString>
    </Rule>
    <Rule id="V-58551" severity="medium" conversionstatus="pass" title="SRG-APP-000089-DNS-000005" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Use the “Get-DnsServerDiagnostics” cmdlet to view the status of individual diagnostic events.

Verify following diagnostic events are set to "True":
Queries, Answers, Notifications, Update, QuestionTransactions, UnmatcheResponse, SendPackets, ReceivePackets, TcpPackets, UdpPackets, FullPackets, UseSystemEventLog
Also set to “True” should be:
EnableLoggingForLocalLookupEvent
EnableLoggingForPluginDLLEvent
EnableLoggingForRecursiveLookupEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForRemoteServerEvent
EnableLoggingForServerStartStopEvent
EnableLoggingForTombstoneEvent
EnableLoggingForZoneDataWriteEvent
EnableLoggingForZoneLoadingEvent

If all required diagnostic events are not set to "True", this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58557" severity="medium" conversionstatus="pass" title="SRG-APP-000514-DNS-000075" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This requirement applies to any Windows DNS Server which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. If the Windows DNS Server only hosts AD-integrated zones and does not host any file-based zones, this is not applicable.
Validate this check from the Windows 2012 DNS server being configured/reviewed.

Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.

Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

Note: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58573" severity="medium" conversionstatus="pass" title="SRG-APP-000125-DNS-000012" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Consult with the System Administrator to determine the backup policy in place for Windows 2008 DNS Server.

Review the backup methods used and determine if the backup's methods have been successful at backing up the audit records at least every seven days.

If the organization does not have a backup policy in place for backing up the Windows 2008 DNS Server's audit records and/or the backup methods have not been successful at backing up the audit records at least every seven days, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58575" severity="medium" conversionstatus="pass" title="SRG-APP-000214-DNS-000079" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

View the validity period for the DS Resource Record.

If the validity period for the DS Resource Record for the child domain is less than two days (48 hours) or more than one week (168 hours), this is a finding.</RawString>
    </Rule>
    <Rule id="V-58577" severity="medium" conversionstatus="pass" title="SRG-APP-000218-DNS-000027" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Windows 2008 DNS Servers that are Active Directory integrated must be located where required to meet the Active Directory services.

If all of the Windows 2008 DNS Servers are AD integrated, this check is Not Applicable.

If any or all of the Windows 2008 DNS Servers are standalone and non-AD-integrated, verify with the System Administrator their geographic location.

If any or all of the authoritative name servers are located in the same building as the master authoritative name server, and the master authoritative name server is not "hidden", this is a finding.</RawString>
    </Rule>
    <Rule id="V-58583" severity="medium" conversionstatus="pass" title="SRG-APP-000383-DNS-000047" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the Windows 2008 DNS Server will only accept TCP and UDP port 53 traffic from specific IP addresses/ranges.

This can be configured via a local or network firewall.

If the caching name server is not restricted to answering queries from only specific networks, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58585" severity="medium" conversionstatus="pass" title="SRG-APP-000383-DNS-000047" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: Blackhole name servers host records which are manually added and for which the name server is not authoritative. It is configured and intended to block resolvers from getting to a destination by directing the query to a blackhole. If the blackhole name server is not authoritative for any zones and otherwise only serves as a caching/forwarding name server, this check is Not Applicable.

The non-AD-integrated, standalone, caching Windows 2012 DNS Server must be configured to be DNSSEC-aware. When performing caching and lookups, the caching name server must be able to obtain a zone signing key DNSKEY record and corresponding RRSIG record for the queried record. It will use this information to compute the hash for the hostname being resolved. The caching name server decrypts the RRSIG record for the hostname being resolved with the zone's ZSK to get the RRSIG record hash. The caching name server compares the hashes and ensures they match.

If the non-AD-integrated, standalone, caching Windows 2012 DNS Server is not configured to be DNSSEC-aware, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58587" severity="medium" conversionstatus="pass" title="SRG-APP-000440-DNS-000065" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This requirement applies to any Windows DNS Server which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. If the Windows DNS Server only hosts AD-integrated zones and does not host any file-based zones, this is not applicable.
Validate this check from the Windows 2012 DNS server being configured/reviewed.

Note: This requirement does not apply for classified environments.

Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.

Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

Note: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58589" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000078" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log on to the DNS server using the account designated as Administrator or DNS Administrator.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Right-click the zone and select DNSSEC, Properties.

Select the KSK Tab.

Verify the "DNSKEY signature validity period (hours):” is set to at least 48 hours and no more than 168 hours.

Select the ZSK Tab.
Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours.

If either the KSK or ZSK Tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58591" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000084" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Type the following command:

PS C:\&gt; Get-DnsServerResourceRecord -ZoneName example.com &lt;enter&gt;

Where example.com is replaced with the zone hosted on the DNS Server.

All of the zone's resource records will be returned, among which should be the NSEC3 RRs, as depicted below.

If NSEC3 RRs are not returned for the zone, this is a finding.

2vf77rkf63hrgismnuvnb8... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C]
7ceje475rse25gppr3vphs... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C]</RawString>
    </Rule>
    <Rule id="V-58593" severity="high" conversionstatus="pass" title="SRG-APP-000516-DNS-000085" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>NOTE: This check is Not Applicable if Windows DNS server is only serving as a caching server and does not host any zones authoritatively.
Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press “Windows Key + R”, execute “dnsmgmt.msc”.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the NS records for the zone.

Verify each of the name servers, represented by the NS records, is active.

At a command prompt on any system, type:

nslookup &lt;enter&gt;;

At the nslookup prompt, type:

server=###.###.###.### &lt;enter&gt;;
(where the ###.###.###.### is replaced by the IP of each NS record)

Enter a FQDN for a known host record in the zone.

If the NS server does not respond at all or responds with a non-authoritative answer, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58595" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000087" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Windows 2008 DNS Servers that are Active Directory-integrated must be located where required to meet the Active Directory services.

If all of the Windows 2008 DNS Servers are AD-integrated, this check is not applicable.

If any or all of the Windows 2008 DNS Servers are stand-alone and non-AD-integrated, verify with the System Administrator their geographic dispersal.

If all of the authoritative name servers are located on the same network segment, and the master authoritative name server is not "hidden", this is a finding.</RawString>
    </Rule>
    <Rule id="V-58597" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000088" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: Due to the manner in which Active Directory replication increments SOA records for zones when transferring zone information via AD replication, this check is not applicable for AD-integrated zones.

Log on to the DNS server hosting a non-AD-integrated zone using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the SOA information for the zone and obtain the Serial Number.

Access each secondary name server for the same zone and review the SOA information.

Verify the Serial Number is the same on all authoritative name servers.

If the Serial Number is not the same on one or more authoritative name servers, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58599" severity="high" conversionstatus="pass" title="SRG-APP-000516-DNS-000089" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select each zone.

Review the RRs for each zone and verify all of the DNSEC record types are included for the zone.

NOTE: The DS (Delegation Signer)record should also exist but the requirement for it is validated under WDNS-SC-000011.

RRSIG (Resource Read Signature)
DNSKEY (Public Key)
NSEC3 (Next Secure 3)

If the zone does not show all of the DNSSEC record types, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58601" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000090" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the zone's RRs in the right window pane.

Review the DNSKEY encryption in the Data column. example: [DNSKEY][RsaSha1][31021]

Confirm the encryption algorithm specified in the DNSKEY's Data is at RsaSha1, at a minimum.

If the specified encryption algorithm is not RsaSha1 or stronger, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58603" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000091" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

For each zone, review the records.

If any RRs (Resource Records) on an internal DNS server resolve to IP addresses located outside the internal DNS server's network, this is a finding.

If any RRs (Resource Records) on an external DNS server resolve to IP addresses located inside the network, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58605" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000092" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Consult with the System Administrator to review the external Windows 2008 DNS Server's HBSS firewall policy.

The inbound TCP and UDP ports 53 rule should be configured to only restrict IP addresses from the internal network.

If the HBSS firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall.

If neither the DNS server's HBSS firewall policy nor the network firewall is configured to block internal hosts from querying the external DNS server, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58607" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000093" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Consult with the System Administrator to review the internal Windows 2008 DNS Server's HBSS firewall policy.

The inbound TCP and UDP ports 53 rule should be configured to only allow hosts from the internal network to query the internal DNS server.

If the HBSS firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall.

If neither the DNS server's HBSS firewall policy nor the network firewall is configured to block external hosts from querying the internal DNS server, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58609" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000095" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify whether the authoritative primary name server is AD-integrated.

Verify whether all secondary name servers for every zone for which the primary name server is authoritative are all AD-integrated in the same Active Directory.

If the authoritative primary name server is AD-integrated and all secondary name servers also part of the same AD, this check is not a finding since AD handles the replication of DNS data.

If one or more of the secondary name servers are non-AD integrated, verify the primary name server is configured to only send zone transfers to a specific list of secondary name servers.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Right-click the zone and select “Properties”.

Select the “Zone Transfers” tab.

If the "Allow zone transfers:" check box is not selected, this is not a finding.

If the "Allow zone transfers:" check box is selected, verify either "Only to servers listed on the Name Server tab" or "Only to the following servers" is selected.

If the "To any server" option is selected, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58611" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000099" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>For an Active Directory-integrated DNS implementation, this is Not Applicable by virtue of being compliant with the Windows 2008/2012 AD STIG, since DNS data within an AD-integrated zone is kept within the Active Directory.

For a file-based Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select each zone.

Right-click each zone and select “Properties”.

Select the “Security” tab.

Review the permissions applied to the zone. No group or user should have greater than READ privileges other than the DNS Admins and the System service account under which the DNS Server Service is running.

If any other account/group has greater than READ privileges, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58613" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000101" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, review each zone.

Consult with the DNS Admin to determine if any of the zones also have hostnames needing to be resolved from the external network.

If the zone is split between internal and external networks, verify separate DNS servers have been implemented for each network.

If internal and external DNS servers have not been implemented for zones which require resolution from both the internal and external networks, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58617" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000103" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Consult with the network IAVM scanner to confirm all Microsoft Operating System IAVMs applicable to Windows 2008/2008 R2 have been applied to the DNS server.

If the Windows Operating System has not been patched to handle all IAVMs, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58623" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000500" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Expand the Forward Lookup Zones folder.

Expand each zone folder and examine the host record entries. The third column titled “Data” will display the IP.

Verify this column does not contain any IP addresses that begin with the prefixes "FE8", "FE9", "FEA", or "FEB".

If any non-routable IPv6 link-local scope addresses are in any zone, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58625" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000500" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, select each zone and examine the host record entries. The third column titled “Data” will display the IP.

Verify if any contain both IPv4 and IPv6 addresses.

If any hostnames contain both IPv4 and IPv6 addresses, confirm with the SA that the actual hosts are IPv6-aware.

If any zone contains hosts with both IPv4 and IPv6 addresses but are determined to be non-IPv6-aware, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58627" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000500" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Locate the “Network Internet Access” icon, right-click on it and select "Open Network &amp; Sharing Center".

Click on "Change adapter settings".

Right-click on the Ethernet and click “Properties”.

If the display shows Microsoft TCP/IP version 6 with a check, but the DNS server is not hosting any AAAA records, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58629" severity="medium" conversionstatus="pass" title="SRG-APP-000142-DNS-000014" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>By default, the Windows 2012 DNS Server listens on TCP 53 and opens UDP ports 53. Also by default, Windows 2012 DNS Server sends from random, high-numbered source ports 49152 and above.

To confirm the listening ports, log onto Windows 2012 DNS Server as an Administrator.
Open a command window with the “Run-as Administrator” option.

In the command window, type the following command:
netstat -a -b |more &lt;enter&gt;

The result is a list of all services running on the server, with the respective “LISTENING TCP” and “OPEN UDP” ports being used.

Find Windows 2012 DNS Server service and verify the State is "LISTENING" on TCP port 53 and that UDP 53 is listed (indicating it is OPEN).

If the server shows UDP 53 in results list and shows TCP port 53 as “LISTENING”, this is not a finding.
</RawString>
    </Rule>
    <Rule id="V-58631" severity="medium" conversionstatus="pass" title="SRG-APP-000390-DNS-000048" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Authentication of dynamic updates is accomplished in Windows Server 2012 DNS by configuring the zones to only accept secure dynamic updates.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Once selected, right-click the name of the zone, and from the displayed context menu, go to Properties.

On the opened domain's properties box, click the General tab.

Verify the Type: is Active Directory-Integrated.

Verify the Dynamic updates has "Secure only" selected.

If the zone is Active Directory-Integrated and the Dynamic updates are not configured for "Secure only", this is a finding.</RawString>
    </Rule>
    <Rule id="V-58633" severity="medium" conversionstatus="pass" title="SRG-APP-000158-DNS-000015" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This requirement applies to any Windows 2008 DNS Server which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too.

If the Windows 2008 DNS Servers only host AD-integrated zones, this requirement is not applicable.

Log on to the DNS server which hosts non-AD-integrated zones using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute gpme.msc to open the Group Policy Management feature.

In the “Browse for Group Policy Object” dialog box, double-click “Domain Controllers.domain.com”.

Click “Default Domain Controllers Policy” and click “OK”.

In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP.

Click “Connection Security Rules”.

Confirm at least one rule is configured for TCP 53.

Double-click on each Rule to verify the following:

On the “Authentication” tab, "Authentication mode:" is set to "Request authentication for inbound and outbound connections".

Confirm the "Signing Algorithm" is set to "RSA (default)".

On the “Remote Computers” tab, Endpoint1 and Endpoint2 are configured with the IP addresses of all DNS servers.

On the “Protocols and Ports” tab, "Protocol type:" is set to either TCP (depending upon which rule is being reviewed) and the "Endpoint 1 port:" is set to "Specific ports" and "53".

If there are not rules(s) configured with the specified requirements, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58635" severity="medium" conversionstatus="pass" title="SRG-APP-000394-DNS-000049" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Authenticity of zone transfers within Windows AD integrated zones is accomplished by AD replication.

For zones which are completely AD-integrated, this check is not a finding.

For authenticity of zone transfers between non-AD-integrated zones, DNSSEC must be implemented.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, indicating the zone has been signed with DNSSEC, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58637" severity="medium" conversionstatus="pass" title="SRG-APP-000001-DNS-000001" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If the DNS server only hosts AD-integrated zones and there are not any non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable.

For a non-AD-integrated DNS server:

Log on to the DNS server using an Administrator account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select, and then right-click the zone name.

From the displayed context menu, click the “Properties” option.

On the opened zone's properties box, go to the “Zone Transfers” tab.

On the displayed interface, verify if the "Allow zone transfers" check box is selected.

If the "Allow zone transfers" check box is not selected, this is not a finding.

If the "Allow zone transfers" check box is selected, verify that either the "Only to servers listed on the Name Servers tab" radio button is selected or the "Only to the following servers" radio button is selected.

If the "To any server" radio button is selected, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58639" severity="medium" conversionstatus="pass" title="SRG-APP-000347-DNS-000041" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58643" severity="medium" conversionstatus="pass" title="SRG-APP-000176-DNS-000018" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Access Services on the Windows DNS Server and locate the DNS Server Service.

Determine the account under which the DNS Server Service is running.

Access Windows Explorer.

Navigate to the following location:

%ALLUSERSPROFILE%\Microsoft\Crypto

Right-click on each sub-folder, choose “Properties”, click on the “Security” tab, and click on the “Advanced” button.

Verify the Owner on the folder, sub-folders, and files are the account under which the DNS Server Service is running.

If any other user or group is listed as OWNER of the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders, and files, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58647" severity="medium" conversionstatus="pass" title="SRG-APP-000176-DNS-000094" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

For Active Directory-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through Active Directory replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the Active Directory database file, the signed copy of the zone remains in memory for Active Directory-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server.

If all DNS servers are AD integrated, this check is not applicable.

If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates and has a copy of the private key corresponding to the ZSK, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58651" severity="medium" conversionstatus="pass" title="SRG-APP-000516-DNS-000077" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

In Windows 2012, the NSEC3 salt values are automatically changed when the zone is resigned.

To validate:
Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS Server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the zone's RRs in the right window pane.

Determine the RRSIG NSEC3PARAM's Inception (in the Data column). Compare the Inception to the RRSIG DNSKEY Inception. The date and time should be the same.

If the NSEC3PARAM's Inception date and time is different than the DNSKEY Inception Date and Time, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58653" severity="medium" conversionstatus="pass" title="SRG-APP-000213-DNS-000024" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Authenticity of query responses is provided with DNSSEC signing of zones.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by Windows 2012 DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58655" severity="medium" conversionstatus="pass" title="SRG-APP-000420-DNS-000053" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Locate the “Network Internet Access” icon, right-click on it and select "Open Network &amp; Sharing Center".

Click on "Change adapter settings".

Right-click on the Ethernet and click “Properties”.

Select Internet Protocol Version 4 (TCP/IPv4) and click “Properties”.

Verify the “Use the following IP address” is selected, with an IP address, subnet mask, and default gateway assigned.

If the “Use the following IP address” is not selected with a configured IP address, subnet mask, and default gateway, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58657" severity="medium" conversionstatus="pass" title="SRG-APP-000420-DNS-000053" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

By default, when DNS servers are configured with DNSSEC signed zones, they will automatically respond to query requests, providing validating data in the response, whenever the query requests that validation. Since this takes place inherently when the zone is signed with DNSSEC, the requirement is satisfied by ensuring zones are signed.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58659" severity="medium" conversionstatus="pass" title="SRG-APP-000421-DNS-000054" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58661" severity="medium" conversionstatus="pass" title="SRG-APP-000422-DNS-000055" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, right-click each zone, and then click “Properties”.

In the “Properties” dialog box for the zone, click the “WINS” tab.

Verify the "Use WINS forward lookup" check box is not selected.

If the "Use WINS forward lookup" check box is selected, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58663" severity="medium" conversionstatus="pass" title="SRG-APP-000422-DNS-000055" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58665" severity="medium" conversionstatus="pass" title="SRG-APP-000214-DNS-000025" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58667" severity="medium" conversionstatus="pass" title="SRG-APP-000215-DNS-000003" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the records for the zone and ensure the complete RRSet of records are present: RRSIG, NSEC3, DNSKEY, indicating DNSSEC compliance.

If the RRSet of records are not in the zone, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58669" severity="medium" conversionstatus="pass" title="SRG-APP-000215-DNS-000003" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

The Name Resolution Policy Table (NRPT) is configured in, and deployed to clients from, Group Policy and will be pushed to all clients in the domain. The Active Directory zones will be signed and the clients, with NRPT, will require a validation of signed data when querying.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

At the Windows PowerShell prompt, type the following command:

get-dnsclientnrptpolicy &lt;enter&gt;

In the results, verify the "DnsSecValidationRequired" is True.

If there are no results to the get-dnsclientnrptpolicy cmdlet or the "DnsSecValidationRequired" is not True, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58671" severity="medium" conversionstatus="pass" title="SRG-APP-000215-DNS-000026" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:

PS C:\&gt; Get-DnsServerResourceRecord -ZoneName adatum.com -RRType DS

Replace adatum.com with the parent zone on the DNS server being evaluated.

HostName RecordType Timestamp TimeToLive RecordData
-------- ---------- --------- ---------- ----------
corp DS 0 01:00:00 [58555][Sha1][RsaSha1NSec3]
corp DS 0 01:00:00 [58555][Sha256][RsaSha1NSec3]
corp DS 0 01:00:00 [63513][Sha1][RsaSha1NSec3]
corp DS 0 01:00:00 [63513][Sha256][RsaSha1NSec3]

If the results do not show the DS records for child domain(s), this is a finding.

In the previous example, DS records for the child zone, corp.adatum.com, were imported into the parent zone, adatum.com, by using the DSSET file that is located in the c:\windows\system32\dns directory. The DSSET file was located in this directory because the local DNS server is the Key Master for the child zone.

If the Key Master DNS server for a child zone is not the same computer as the primary authoritative DNS server for the parent zone where the DS record is being added, the DSSET file must be obtained for the child zone and made available to the primary authoritative server for the parent zone. Alternatively, the DS records can be added manually.
</RawString>
    </Rule>
    <Rule id="V-58673" severity="medium" conversionstatus="pass" title="SRG-APP-000215-DNS-000026" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log onto each of the validating Windows 2012 DNS Servers.

In the DNS Manager console tree, navigate to each hosted zone under the Trust Points folder.

Two DNSKEY trust points should be displayed, one for the active key and one for the standby key.

If each validating Windows 2012 DNS Servers does not reflect the DNSKEY trust points for each of the hosted zone(s), this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58675" severity="medium" conversionstatus="pass" title="SRG-APP-000215-DNS-000026" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen.

Once the Server Manager window is initialized, from the left pane, click to select the DNS category.

From the right pane, under the SERVERS section, right-click the DNS server.

From the context menu that appears, click DNS Manager.

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.

From the expanded list, click to select and then right-click the zone name.

From the displayed context menu, click DNSSEC&gt;&gt;Properties.

Click the KSK tab.

For each KSK that is listed under Key signing keys (KSKs), click the KSK, click Edit, and in the Key Rollover section verify the "Enable automatic rollover" check box is selected.

If the "Enable automatic rollover" check box is not selected for every KSK listed, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58677" severity="medium" conversionstatus="pass" title="SRG-APP-000423-DNS-000056" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from either a Windows 8 client or a Windows 2008 or higher server, authenticated as a Domain Administrator.

Determine a valid host in the zone.

Open the Windows PowerShell prompt on the Windows 8/Windows 2008 or higher client.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58679" severity="medium" conversionstatus="pass" title="SRG-APP-000424-DNS-000057" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58681" severity="medium" conversionstatus="pass" title="SRG-APP-000425-DNS-000058" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58683" severity="medium" conversionstatus="pass" title="SRG-APP-000426-DNS-000059" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58685" severity="medium" conversionstatus="pass" title="SRG-APP-000219-DNS-000028" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>NOTE: This requirement applies to any Windows 2012 DNS Servers which host non-AD-integrated zones (file based) even if the DNS servers host AD-integrated zones, too.

If the Windows 2012 DNS Servers only host AD-integrated zones, this requirement is not applicable.

To protect authenticity of zone transfers between Windows 2012 DNS Servers with file based zones, IPsec must be configured on each pair of name servers in a zone transfer transaction for those zones.

Log on to the DNS server which hosts non-AD-integrated, file based zones, using the Administrator, Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute gpme.msc to open the Group Policy Management feature.

In the Browse for Group Policy Object dialog box, double-click Domain Controllers.domain.com.

Click Default Domain Controllers Policy and click OK.

In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP.

Click Connection Security Rules.

Consult with the SA to determine which Rules meet the intent of the server-to-server authentication.

If Rules exist, double-click on each Rule to verify the following:

For the "Authentication:" tab, click on the "Customize..." button.

On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections".

Confirm the "Signing Algorithm" is set to "RSA (default)".

Under "Method", ensure the "Advanced:" radio button is selected.

Click on the "Customize" button.

For "First authentication methods:", double-click on the entry.

Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected.

Review the certificate specified and verify the certificate used was generated by the internally-managed server performing the Active Directory Certificate Services (AD CS) role.

If rules do not exist for server-to-server authentication, this is a finding.

If rules exist for this server to authenticate to other name servers hosting the same file based zones when transacting zone transfers, but the rules are not configured with the above settings, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58687" severity="high" conversionstatus="pass" title="SRG-APP-000219-DNS-000029" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Once resource records are received by a DNS server via a secure dynamic update, the resource records will automatically become signed by DNSSEC as long as the zone was originally signed by DNSSEC. Authenticity of query responses for resource records dynamically updated can be validated by querying for whether the zone/record is signed by DNSSEC.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace 131.77.60.235 with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an Expirations, date signed, signer and signature, similar to the following:

Name : www.zonename.mil
QueryType : RRSIG
TTL : 189
Section : Answer
TypeCovered : CNAME
Algorithm : 8
LabelCount : 3
OriginalTtl : 300
Expiration : 11/21/2014 10:22:28 PM
Signed : 10/22/2014 10:22:28 PM
Signer : zonename.mil
Signature : {87, 232, 34, 134...}

Name : origin-www.zonename.mil
QueryType : A
TTL : 201
Section : Answer
IP4Address : 156.112.108.76

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58689" severity="medium" conversionstatus="pass" title="SRG-APP-000219-DNS-000030" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Authenticity of query responses is provided with DNSSEC signing of zones.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.

Fix Text: Sign, or re-sign, the hosted zone(s) on the DNS server being validated.

In the DNS Manager console tree on the DNS server being validated, navigate to Forward Lookup Zones.

Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click Sign the Zone, either using saved parameters or custom parameters.
</RawString>
    </Rule>
    <Rule id="V-58691" severity="medium" conversionstatus="pass" title="SRG-APP-000427-DNS-000060" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>NOTE: This requirement applies to any Windows 2012 DNS Servers which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too.

If the Windows 2012 DNS Servers only host AD-integrated zones, this requirement is not applicable.

Log on to the DNS server which hosts non-AD-integrated zones using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute gpme.msc to open the Group Policy Management feature.

In the Browse for Group Policy Object dialog box, double-click Domain Controllers.domain.com.

Click Default Domain Controllers Policy and click OK.

In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP.

Click Connection Security Rules.

Consult with the SA to determine which Rules meet the intent of DNSSEC server-to-server authentication.

Double-click on each Rule to verify the following:
For the "Authentication:" tab, click on the "Customize..." button.

On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections".

Confirm the "Signing Algorithm" is set to "RSA (default)".

Under "Method", ensure the "Advanced:" radio button is selected. Click on the "Customize" button.

For "First authentication methods:", double-click on the entry.

Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected.

Review the certificate specified and verify the certificate used was generated by the internally-managed server performing the Active Directory Certificate Services (AD CS) role.

If the certificate used does not meet the requirements, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58693" severity="medium" conversionstatus="pass" title="SRG-APP-000231-DNS-000033" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>To ensure the cryptographic keys are protected after being backed up to another medium (tape, disk, SAN, etc.), consult with the System Administrator to determine the backup policy in place for the DNS Server.

Determine how and where backed up data is being stored.

Verify the protection of the backup medium is secured to the same level, or higher, as the server itself.

If a backup policy does not exist or the backup policy does not specify the protection required for backup medium to be at or above the same level as the server, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58699" severity="medium" conversionstatus="pass" title="SRG-APP-000247-DNS-000036" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

In the list of hosts, review the Name Server (NS) records. Determine if any of the hosts listed as NS records are non-AD-integrated servers.

If the DNS server only hosts AD-integrated zones and there are not any non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable.

For a non-AD-integrated DNS server, right click on the Forward Lookup zone and select “Properties”.
On the opened zone's properties box, go to the “Zone Transfers” tab.

On the displayed interface, verify if the "Allow zone transfers" check box is selected.

If the "Allow zone transfers" check box is selected, click on the “Notify” button and verify “Automatically notify with Servers” is listed on the “Name Servers” tab is selected.

If the “Notify” button is not enabled for non-AD-integrated DNS servers, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58701" severity="medium" conversionstatus="pass" title="SRG-APP-000439-DNS-000063" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58703" severity="medium" conversionstatus="pass" title="SRG-APP-000441-DNS-000066" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58705" severity="medium" conversionstatus="pass" title="SRG-APP-000442-DNS-000067" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network.

Validate this check from the Windows 2012 DNS server being configured/reviewed.
Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator.
Determine a valid host in the zone.
Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed.

Issue the following command:
(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.)

resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok &lt;enter&gt;

NOTE: It is important to use the -server switch followed by the DNS Server name/IP address.

The result should show the "A" record results.

In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following:

Name: www.zonename.mil
QueryType: RRSIG
TTL: 189
Section: Answer
TypeCovered: CNAME
Algorithm: 8
LabelCount: 3
OriginalTtl: 300
Expiration: 11/21/2014 10:22:28 PM
Signed: 10/22/2014 10:22:28 PM
Signer: zonename.mil
Signature: {87, 232, 34, 134...}

Name: origin-www.zonename.mil
QueryType: A
TTL: 201
Section: Answer
IP4Address: ###.###.###.###

If the results do not show the RRSIG and signature information, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58707" severity="medium" conversionstatus="pass" title="SRG-APP-000251-DNS-000037" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Consult with the System Administrator to determine the IP ranges for the environment.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

If not automatically started, initialize the “Server Manager” window by clicking its icon from the bottom left corner of the screen.

Once the “Server Manager” window is initialized, from the left pane, click to select the DNS category.

From the right pane, under the “SERVERS” section, right-click the DNS server.

From the context menu that appears, click DNS Manager.

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones.

From the expanded list, click to select and then right-click the zone name.

Review the zone information and compare to the IP ranges for the environment.

If any zone information is for a different IP range or domain, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58713" severity="medium" conversionstatus="pass" title="SRG-APP-000473-DNS-000072" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This functionality should be performed by the Host Based Security System (HBSS), mandatory on all DoD systems.

Check to ensure McAfee HBSS is installed and fully operational on the Windows 2008 DNS Server.

If all required HBSS products are not installed and/or the installed products are not enabled, this is a finding.</RawString>
    </Rule>
    <Rule id="V-58737" severity="medium" conversionstatus="pass" title="SRG-APP-000333-DNS-000104" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>The "EnableVersionQuery" property controls what version information the DNS server will respond with when a DNS query with class set to “CHAOS” and type set to “TXT” is received.

Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Open a command window and execute the command:

nslookup &lt;enter&gt;
Note: Confirm the Default Server is the DNS Server on which the command is being run.

At the nslookup prompt, type:

set type=TXT &lt;enter&gt;
set class=CHAOS &lt;enter&gt;
version.bind &lt;enter&gt;

If the response returns something similar to text = "Microsoft DNS 6.1.7601 (1DB14556)", this is a finding.</RawString>
    </Rule>
    <Rule id="V-58739" severity="medium" conversionstatus="pass" title="SRG-APP-000333-DNS-000107" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.

Press Windows Key + R, execute dnsmgmt.msc.

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones.

From the expanded list, click to select the zone.

Review the zone's Resource Records (RR) and verify HINFO, RP, and LOC RRs are not used. If TXT RRs are used, they must not reveal any information about the organization which could be used for malicious purposes.

If there are any HINFO, RP, LOC, or revealing TXT RRs in any zone hosted by the DNS Server, this is a finding.</RawString>
    </Rule>
  </ManualRule>
  <PermissionRule dscresourcemodule="AccessControlDsc">
    <Rule id="V-58553.a" severity="medium" conversionstatus="pass" title="SRG-APP-000090-DNS-000005" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>Eventlog</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>
          </Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%windir%\SYSTEM32\WINEVT\LOGS\DNS Server.evtx</Path>
      <RawString>Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.

If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding:

Administrators Auditors (if the site has an Auditors group that further limits this privilege.)

If an application requires this user right, this would not be a finding.
Vendor documentation must support the requirement for having the user right.
The requirement must be documented with the ISSO.
The application account must meet requirements for application account passwords.

Verify the permissions on the DNS logs.

Standard user accounts or groups must not have greater than READ access.

The default locations are:

DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx

Using the file explorer tool navigate to the DNS Server log file.

Right click on the log file, select the “Security” tab.

The default permissions listed below satisfy this requirement:

Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control

If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58641" severity="medium" conversionstatus="pass" title="SRG-APP-000176-DNS-000017" dscresource="NTFSAccessEntry">
      <AccessControlEntry>
        <Entry>
          <Type>
          </Type>
          <Principal>SYSTEM</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
        <Entry>
          <Type>
          </Type>
          <Principal>Administrators</Principal>
          <ForcePrincipal>False</ForcePrincipal>
          <Inheritance>This folder subfolders and files</Inheritance>
          <Rights>FullControl</Rights>
        </Entry>
      </AccessControlEntry>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <Path>%ALLUSERSPROFILE%\Microsoft\Crypto\Keys</Path>
      <RawString>Access Windows Explorer.

Navigate to the following location:

%ALLUSERSPROFILE%\Microsoft\Crypto

Verify the permissions on the keys folder, sub-folders, and files are limited to SYSTEM and Administrators FULL CONTROL.

If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders and files, this is a finding.</RawString>
    </Rule>
  </PermissionRule>
  <UserRightRule dscresourcemodule="SecurityPolicyDsc">
    <Rule id="V-58553.b" severity="medium" conversionstatus="pass" title="SRG-APP-000090-DNS-000005" dscresource="UserRightsAssignment">
      <Constant>SeSecurityPrivilege</Constant>
      <DisplayName>Manage auditing and security log</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy &gt;&gt; Computer Configuration &gt;&gt; Windows Settings &gt;&gt; Security Settings &gt;&gt; Local Policies &gt;&gt; User Rights Assignment.

If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding:

Administrators Auditors (if the site has an Auditors group that further limits this privilege.)

If an application requires this user right, this would not be a finding.
Vendor documentation must support the requirement for having the user right.
The requirement must be documented with the ISSO.
The application account must meet requirements for application account passwords.

Verify the permissions on the DNS logs.

Standard user accounts or groups must not have greater than READ access.

The default locations are:

DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx

Using the file explorer tool navigate to the DNS Server log file.

Right click on the log file, select the “Security” tab.

The default permissions listed below satisfy this requirement:

Eventlog - Full Control
SYSTEM - Full Control
Administrators - Full Control

If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.
</RawString>
    </Rule>
    <Rule id="V-58697.a" severity="medium" conversionstatus="pass" title="SRG-APP-000246-DNS-000035" dscresource="UserRightsAssignment">
      <Constant>SeRemoteInteractiveLogonRight</Constant>
      <DisplayName>Allow log on through Remote Desktop Services</DisplayName>
      <Force>True</Force>
      <Identity>Administrators</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding:
Administrators
</RawString>
    </Rule>
    <Rule id="V-58697.b" severity="medium" conversionstatus="pass" title="SRG-APP-000246-DNS-000035" dscresource="UserRightsAssignment">
      <Constant>SeDenyNetworkLogonRight</Constant>
      <DisplayName>Deny access to this computer from the network</DisplayName>
      <Force>False</Force>
      <Identity>Guests</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding:
Guests Group
</RawString>
    </Rule>
    <Rule id="V-58697.c" severity="medium" conversionstatus="pass" title="SRG-APP-000246-DNS-000035" dscresource="UserRightsAssignment">
      <Constant>SeDenyInteractiveLogonRight</Constant>
      <DisplayName>Deny log on locally</DisplayName>
      <Force>False</Force>
      <Identity>Guests</Identity>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding:
Guests Group
</RawString>
    </Rule>
  </UserRightRule>
  <WinEventLogRule dscresourcemodule="xWinEventLog">
    <Rule id="V-58555" severity="medium" conversionstatus="pass" title="SRG-APP-000504-DNS-000082" dscresource="xWinEventLog">
      <IsEnabled>True</IsEnabled>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <LogName>Microsoft-Windows-DnsServer/Analytical</LogName>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Log on to the DNS server using the Domain Admin or Enterprise Admin account.
Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account.

Use the “Get-DnsServerDiagnostics” cmdlet to view the status of individual diagnostic events.

Verify following diagnostic events are set to "True":
UseSystemEventLog

Press “Windows Key + R”, execute “dnsmgmt.msc”.

Right-click on the DNS server, select “Properties”.

Click the “Event Logging” tab. By default, all events are logged.

Verify "Errors and warnings" or "All events" is selected.

If any option other than "Errors and warnings" or "All events" is selected, this is a finding.

For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled.

Run “eventvwr.msc” at an elevated command prompt.

In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server.

Right-click on the DNS Server, point to View, and then click "Show Analytic and Debug Logs".

Right-click on Analytical and then click “Properties”.

Confirm the "Enable logging" check box is selected.

If the checkbox to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding.
</RawString>
    </Rule>
  </WinEventLogRule>
</DISASTIG>