################################################################################
DOCUMENT         : MS_Windows_Server_2022_DNS_STIG
VERSION          : 003.003.002
CHECKSUM         : 7d5146fe3cf3d61dd68c06424104188366183d6c9b05cff81c9f4c39268500c5
MANUAL QUESTIONS : 41

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 41
TITLE            : CAT I, V-259343, SV-259343r961470, SRG-APP-000383-DNS-000047
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:1901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:1901
RULE             : The Windows DNS Server with a caching name server role must restrict recursive query responses to only the IP addresses and IP address ranges of known supported clients.
QUESTION_TEXT    : Note: Sinkhole name servers host records that are manually added and for which the name server is not authoritative. It is configured and intended to block resolvers from reaching a destination by directing the query to a sinkhole. If the sinkhole name server is not authoritative for any zones and serves only as a caching/forwarding name server, this check is not applicable.

The non-Active Directory (AD)-integrated, standalone, caching Windows DNS Server must be configured to be DNSSEC aware. When performing caching and lookups, the caching name server must be able to obtain a zone signing key (ZSK) DNSKEY record and corresponding RRSIG record for the queried record. It will use this information to compute the hash for the hostname being resolved. The caching name server decrypts the RRSIG record for the hostname being resolved with the zone's ZSK to get the RRSIG record hash. The caching name server compares the hashes and ensures they match.

If the non-AD-integrated, standalone, caching Windows DNS Server is not configured to be DNSSEC aware, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 41
TITLE            : CAT I, V-259347, SV-259347r961863, SRG-APP-000516-DNS-000085
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:2701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:2701
RULE             : The Windows DNS Server's zone files must have NS records that point to active name servers authoritative for the domain specified in that record.
QUESTION_TEXT    : Note: This check is not applicable if Windows DNS Server is only serving as a caching server and does not host any zones authoritatively.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.

Review the NS records for the zone.

Verify each of the name servers, represented by the NS records, is active.

At a command prompt on any system, type:

nslookup <enter>;

At the nslookup prompt, type: 

server ###.###.###.### <enter>;
(where the ###.###.###.### is replaced by the IP of each NS record) 

Enter a FQDN for a known host record in the zone.

If the NS server does not respond at all or responds with a nonauthoritative answer, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 41
TITLE            : CAT II, V-259336, SV-259336r987679, SRG-APP-000350-DNS-000044
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:501
RULE             : The Windows DNS Server must notify the DNS administrator in the event of an error validating another DNS server's identity.
QUESTION_TEXT    : Windows DNS Servers hosting Active Directory (AD)-integrated zones transfer zone information via AD replication. Windows DNS Servers hosting non-AD-integrated zones as a secondary name server and/or not hosting AD-integrated zones use zone transfer to sync zone data.

If the Windows DNS Server hosts only AD-integrated zones and all other name servers for the zones hosted are Active Directory Domain Controllers, this requirement is not applicable.

If the Windows DNS Server is not an Active Directory Domain Controller or is a secondary name server for a zone with a non-AD-integrated name server as the master, this requirement is applicable.

Administrator notification is only possible if a third-party event monitoring system is configured or, at a minimum, there are documented procedures requiring the administrator to review the DNS logs on a routine, daily basis.

If a third-party event monitoring system is not configured or a document procedure is not in place requiring the administrator to review the DNS logs on a routine, daily basis, this is a finding.

References:
CCI-000366
CCI-001906
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 41
TITLE            : CAT II, V-259340, SV-259340r961863, SRG-APP-000218-DNS-000027
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:1301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:1301
RULE             : The Windows DNS name servers for a zone must be geographically dispersed.
QUESTION_TEXT    : Windows DNS Servers that are Active Directory (AD) integrated must be located where required to meet the AD services. 

If all the Windows DNS Servers are AD integrated, this check is not applicable.

If any or all the Windows DNS Servers are standalone and non-AD integrated, verify their geographic location with the system administrator.

If any or all of the authoritative name servers are located in the same building as the primary authoritative name server and the primary authoritative name server is not "hidden", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 41
TITLE            : CAT II, V-259342, SV-259342r961470, SRG-APP-000383-DNS-000047
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:1701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:1701
RULE             : Forwarders on an authoritative Windows DNS Server, if enabled for external resolution, must forward only to an internal, non-Active Directory (AD)-integrated DNS server or to the DOD Enterprise Recursive Services (ERS).
QUESTION_TEXT    : Note: If the Windows DNS Server is in the classified network, this check is not applicable. If forwarders are not being used, this is not applicable.

Note: In Windows DNS Server, if forwarders are configured, the recursion setting must also be enabled because disabling recursion will disable forwarders.

If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties".

Click the "Forwarders" tab.

Review the IP address(es) for the forwarder(s) use.

If the DNS server does not forward to another DOD-managed DNS server or to the DOD ERS, this is a finding.

If "Use root hints if no forwarders are available" is selected, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 41
TITLE            : CAT II, V-259348, SV-259348r961863, SRG-APP-000516-DNS-000087
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:2901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:2901
RULE             : All authoritative name servers for a zone must be located on different network segments.
QUESTION_TEXT    : Windows DNS Servers that are Active Directory (AD) integrated must be located where required to meet the Active Directory services.

If all of the Windows DNS Servers are AD integrated, this check is not applicable.

If any or all the Windows DNS Servers are standalone and non-AD integrated, verify their geographic location with the system administrator.

If all of the authoritative name servers are located on the same network segment and the primary authoritative name server is not "hidden", this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 41
TITLE            : CAT II, V-259349, SV-259349r961863, SRG-APP-000516-DNS-000088
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:3101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:3101
RULE             : All authoritative name servers for a zone must have the same version of zone information.
QUESTION_TEXT    : Note: Due to the manner in which Active Directory replication increments SOA records for zones when transferring zone information via Active Directory (AD) replication, this check is not applicable for AD-integrated zones.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.

Review the SOA information for the zone and obtain the Serial Number.

Access each secondary name server for the same zone and review the SOA information.

Verify the Serial Number is the same on all authoritative name servers.

If the Serial Number is not the same on one or more authoritative name servers, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 41
TITLE            : CAT II, V-259352, SV-259352r961863, SRG-APP-000516-DNS-000091
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:3701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:3701
RULE             : For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.
QUESTION_TEXT    : Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.

For each zone, review the records.

If any RRs on an internal DNS server resolve to IP addresses located outside the internal DNS server's network, this is a finding.

If any RRs on an external DNS server resolve to IP addresses located inside the network, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 41
TITLE            : CAT II, V-259353, SV-259353r961863, SRG-APP-000516-DNS-000092
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:3901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:3901
RULE             : In a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
QUESTION_TEXT    : Consult with the system administrator to review the external Windows DNS Server's DOD approved firewall policy.

The inbound TCP and UDP ports 53 rule should be configured to only restrict IP addresses from the internal network.

If the DOD-approved firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall.

If neither the DNS server's DOD approved firewall policy nor the network firewall is configured to block internal hosts from querying the external DNS server, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 41
TITLE            : CAT II, V-259354, SV-259354r961863, SRG-APP-000516-DNS-000095
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:4101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:4101
RULE             : Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
QUESTION_TEXT    : Determine if the authoritative primary name server is Active Directory (AD) integrated.

Determine if all secondary name servers for every zone for which the primary name server is authoritative are AD-integrated in the same Active Directory.

If the authoritative primary name server is AD integrated and all secondary name servers are part of the same AD, this check is not a finding because AD handles the replication of DNS data.

If one or more of the secondary name servers are non-AD integrated, verify the primary name server is configured to only send zone transfers to a specific list of secondary name servers.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.

Right-click the zone and select "Properties".

Select the "Zone Transfers" tab.

If the "Allow zone transfers:" check box is not selected, this is not a finding.

If the "Allow zone transfers:" check box is selected, verify either "Only to servers listed on the Name Server tab" or "Only to the following servers" is selected.

If the "To any server" option is selected, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 41
TITLE            : CAT II, V-259355, SV-259355r961863, SRG-APP-000516-DNS-000099
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:4301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:4301
RULE             : The Windows DNS Servers zone database files must not be accessible for edit/write by users and/or processes other than the Windows DNS Server service account and/or the DNS database administrator.
QUESTION_TEXT    : For an Active Directory (AD)-integrated DNS implementation, this is not applicable by virtue of being compliant with the Windows 2022 AD STIG because DNS data within an AD-integrated zone is kept within the Active Directory.

For a file-based Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select each zone.

Right-click each zone and select "Properties".

Select the "Security" tab.

Review the permissions applied to the zone. No group or user should have greater than READ privileges other than the DNS administrators and the system service account under which the DNS Server Service is running.

If any other account/group has greater than READ privileges, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 41
TITLE            : CAT II, V-259356, SV-259356r961863, SRG-APP-000516-DNS-000101
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:4501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:4501
RULE             : The Windows DNS Server must implement internal/external role separation.
QUESTION_TEXT    : Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, review each zone.

Consult with the DNS Admin to determine if any of the zones also have hostnames that need to be resolved from the external network.

If the zone is split between internal and external networks, verify separate DNS servers have been implemented for each network.

If internal and external DNS servers have not been implemented for zones that require resolution from both the internal and external networks, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

QUESTION         : 13 of 41
TITLE            : CAT II, V-259357, SV-259357r961863, SRG-APP-000516-DNS-000102
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:4701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:4701
RULE             : The Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
QUESTION_TEXT    : Note: If the Windows DNS Server is in the classified network, this check is not applicable.

Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account.

Press the Windows key + R and execute "dnsmgmt.msc".

Right-click the DNS server and select "Properties".

Select the "Root Hints" tab.

Verify "Root Hints" is empty or only has entries for internal zones under "Name servers:". All internet root server entries must be removed.

If "Root Hints" is not empty or entries on the "Root Hints" tab under "Name servers:" are external to the local network, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 13 *******************************

QUESTION         : 14 of 41
TITLE            : CAT II, V-259358, SV-259358r961863, SRG-APP-000516-DNS-000113
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:4901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:4901
RULE             : The Windows DNS Servers zone files must not include resource records that resolve to a fully qualified domain name residing in another zone.
QUESTION_TEXT    : Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.
 
Confirm with the DNS administrator that the hosts defined in the zone files do not resolve to hosts in another zone with its fully qualified domain name.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. Additional exceptions are CNAME records in a multidomain Active Directory environment pointing to hosts in other internal domains in the same multidomain environment.

If resource records are maintained that resolve to a fully qualified domain name in another zone, and the usage is not for resource records resolving to hosts that are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms with a documented and approved mission need, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 14 *******************************

QUESTION         : 15 of 41
TITLE            : CAT II, V-259359, SV-259359r961863, SRG-APP-000516-DNS-000114
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:5101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:5101
RULE             : The Windows DNS Server's zone files must not include CNAME records pointing to a zone with lesser security for more than six months.
QUESTION_TEXT    : Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.

Review the resource records to confirm there are no CNAME records older than six months.

The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDNs) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. (Authorizing Official approval of use of a commercial cloud offering would satisfy this requirement.) Additional exceptions are CNAME records in a multidomain Active Directory environment pointing to hosts in other internal domains in the same multidomain environment.

If there are zone-spanning (i.e., zones of lesser security) CNAME records older than six months and the CNAME records resolve to anything other than fully qualified domain names for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms with an AO-approved and documented mission need, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 15 *******************************

QUESTION         : 16 of 41
TITLE            : CAT II, V-259361, SV-259361r1018796, SRG-APP-000516-DNS-000500
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:5501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:5501
RULE             : AAAA addresses must not be configured in a zone for hosts that are not dual stack.
QUESTION_TEXT    : Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, select each zone and examine the host record entries. The third column titled "Data" will display the IP.

Determine if any contain both IPv4 and IPv6 addresses.

If any hostnames contain both IPv4 and IPv6 addresses, confirm with the system administrator that the actual hosts are in a dual stack.

If any zones contain hosts with both IPv4 and IPv6 addresses but are determined to be not in a dual stack, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 16 *******************************

QUESTION         : 17 of 41
TITLE            : CAT II, V-259363, SV-259363r960999, SRG-APP-000158-DNS-000015
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:5701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:5701
RULE             : The Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.
QUESTION_TEXT    : Note: This requirement applies to any Windows DNS Server that hosts non-AD-integrated zones, even if the DNS servers host AD-integrated zones, too.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature.

In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com".

Click "Default Domain Controllers Policy" and click "OK".

In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP.

Click "Connection Security Rules".

Confirm at least one rule is configured for TCP 53.

Double-click on each rule to verify the following: 

On the "Authentication" tab, "Authentication mode:" is set to "Request authentication for inbound and outbound connections".

The "Signing Algorithm" is set to "RSA (default)".

On the "Remote Computers" tab, "Endpoint1" and "Endpoint2" are configured with the IP addresses of all DNS servers.

On the "Protocols and Ports" tab, "Protocol type:" is set to either TCP (depending on which rule is being reviewed) and the "Endpoint 1 port:" is set to "Specific ports" and "53".

If no rules are configured with the specified requirements, this is a finding.

References:
CCI-000778
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 17 *******************************

QUESTION         : 18 of 41
TITLE            : CAT II, V-259365, SV-259365r960735, SRG-APP-000001-DNS-000001
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:6101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:6101
RULE             : The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
QUESTION_TEXT    : If the DNS server hosts only AD-integrated zones and there are no non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable.

For a non-AD-integrated DNS server:

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones".

From the expanded list, click to select and then right-click the zone name.

From the displayed context menu, click the "Properties" option.

On the opened zone's properties box, go to the "Zone Transfers" tab.

On the displayed interface, determine if the "Allow zone transfers" check box is selected.

If the "Allow zone transfers" check box is not selected, this is not a finding.

If the "Allow zone transfers" check box is selected, determine if either the "Only to servers listed on the Name Servers tab" radio button is selected or the "Only to the following servers" radio button is selected.

If the "To any server" radio button is selected, this is a finding.

References:
CCI-000054
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 18 *******************************

QUESTION         : 19 of 41
TITLE            : CAT II, V-259370, SV-259370r961041, SRG-APP-000176-DNS-000094
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:7101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:7101
RULE             : The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.
QUESTION_TEXT    : Note: This check is not applicable for Windows DNS Servers that host only Active Directory (AD)-integrated zones or for Windows DNS Servers on a classified network.

Note: This requirement is not applicable to servers with only a caching role.

For AD-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through AD replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the AD database file, the signed copy of the zone remains in memory for AD-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server.

If all DNS servers are AD integrated, this check is not applicable.

If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates, and has a copy of the private key corresponding to the ZSK, this is a finding.

References:
CCI-000186
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 19 *******************************

QUESTION         : 20 of 41
TITLE            : CAT II, V-259371, SV-259371r1015766, SRG-APP-000401-DNS-000051
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:7301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:7301
RULE             : The Windows DNS Server must implement a local cache of revocation data for PKI authentication.
QUESTION_TEXT    : Consult with the system administrator to determine if a third-party CRL server is being used for certificate revocation lookup.

If there is, determine if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site.

If there is no local cache of revocation data, this is a finding.

References:
CCI-004068
CCI-001991
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 20 *******************************

QUESTION         : 21 of 41
TITLE            : CAT II, V-259372, SV-259372r961863, SRG-APP-000516-DNS-000077
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:7501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:7501
RULE             : The salt value for zones signed using NSEC3 resource records (RRs) must be changed every time the zone is completely re-signed.
QUESTION_TEXT    : Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network.

In Windows, the NSEC3 salt values are automatically changed when the zone is re-signed.

To validate:
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS Server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone. 

Review the zone's RRs in the right windowpane.

Determine the RRSIG NSEC3PARAM's Inception (in the Data column). Compare the Inception to the RRSIG DNSKEY Inception. The date and time should be the same.

If the NSEC3PARAM's Inception date and time is different than the DNSKEY Inception date and time, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 21 *******************************

QUESTION         : 22 of 41
TITLE            : CAT II, V-259382, SV-259382r961107, SRG-APP-000215-DNS-000026
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:9501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:9501
RULE             : The Windows DNS Server must be configured to validate an authentication chain of parent and child domains via response data.
QUESTION_TEXT    : Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network.

Validate this check from the Windows DNS Server being configured/reviewed.

Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator.

Determine a valid host in the zone.

Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed.

Issue the following command:

PS C:\> Get-DnsServerResourceRecord -ZoneName adatum.com -RRType DS

Replace "adatum.com" with the parent zone on the DNS server being evaluated.

HostName RecordType Timestamp TimeToLive RecordData
-------- ---------- --------- ---------- ----------
corp DS 0 01:00:00 [58555][Sha1][RsaSha1NSec3]
corp DS 0 01:00:00 [58555][Sha256][RsaSha1NSec3]
corp DS 0 01:00:00 [63513][Sha1][RsaSha1NSec3]
corp DS 0 01:00:00 [63513][Sha256][RsaSha1NSec3]

If the results do not show the DS records for the child domain(s), this is a finding.

In the previous example, DS records for the child zone, corp.adatum.com, were imported into the parent zone, adatum.com, by using the DSSET file in the c:\windows\system32\dns directory. The DSSET file was located in this directory because the local DNS server is the Key primary for the child zone.

If the Key Master DNS server for a child zone is not the same computer as the primary authoritative DNS server for the parent zone where the DS record is being added, the DSSET file must be obtained for the child zone and made available to the primary authoritative server for the parent zone. Alternatively, the DS records can be added manually.

References:
CCI-001663
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 22 *******************************

QUESTION         : 23 of 41
TITLE            : CAT II, V-259383, SV-259383r961107, SRG-APP-000215-DNS-000026
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:9701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:9701
RULE             : Trust anchors must be exported from authoritative Windows DNS Servers and distributed to validating Windows DNS Servers.
QUESTION_TEXT    : Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network.

Log onto each of the validating Windows DNS Servers.

In the DNS Manager console tree, navigate to each hosted zone under the "Trust Points" folder.

Two DNSKEY trust points should be displayed, one for the active key and one for the standby key.

If each validating Windows DNS Server does not reflect the DNSKEY trust points for each of the hosted zone(s), this is a finding.

References:
CCI-001663
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 23 *******************************

QUESTION         : 24 of 41
TITLE            : CAT II, V-259389, SV-259389r1043178, SRG-APP-000219-DNS-000028
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:10901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:10901
RULE             : The Windows DNS Server must protect the authenticity of zone transfers via transaction signing.
QUESTION_TEXT    : Note: This requirement applies to any Windows DNS Servers that host non-AD-integrated zones (file based) even if the DNS servers host AD-integrated zones, too.

If the Windows DNS Servers host only AD-integrated zones, this requirement is not applicable.

To protect authenticity of zone transfers between Windows DNS Servers with file-based zones, IPsec must be configured on each pair of name servers in a zone transfer transaction for those zones.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature.

In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com".

Click "Default Domain Controllers Policy" and click "OK".

In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object.

Click Connection Security Rules.

Consult with the SA to determine which Rules meet the intent of the server-to-server authentication.

If Rules exist, double-click on each Rule to verify the following:

For the "Authentication:" tab, click on the "Customize..." button.

On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections".

Confirm the "Signing Algorithm" is set to "RSA (default)".

Under "Method", ensure the "Advanced:" radio button is selected.

Click the "Customize" button.

For "First authentication methods:", double-click on the entry.

Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected.

Review the certificate specified and verify the certificate used was generated by the internally-managed server performing the Active Directory Certificate Services (AD CS) role.

If rules do not exist for server-to-server authentication, this is a finding.

If rules exist for this server to authenticate to other name servers hosting the same file based zones when transacting zone transfers, but the rules are not configured with the above settings, this is a finding.

References:
CCI-001184
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 24 *******************************

QUESTION         : 25 of 41
TITLE            : CAT II, V-259392, SV-259392r961596, SRG-APP-000427-DNS-000060
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:11501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:11501
RULE             : The Windows DNS Server must use an approved DOD PKI certificate authority.
QUESTION_TEXT    : Note: This requirement applies to any Windows DNS Servers that host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too.

This requirement is not applicable to servers with only a caching role.

If the Windows DNS Servers host only AD-integrated zones, this requirement is not applicable.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature.

In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com".

Click "Default Domain Controllers Policy" and click "OK".

In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP.

Click "Connection Security Rules".

Consult with the system administrator to determine which Rules meet the intent of DNSSEC server-to-server authentication.

Double-click on each "Rule" to verify the following:

For the "Authentication" tab, click on the "Customize..." button.

On the "Authentication" tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections".

Confirm the "Signing Algorithm" is set to "RSA (default)".

Under "Method", verify the "Advanced:" radio button is selected. Click the "Customize" button.

For "First authentication methods:", double-click on the entry.

Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected.

Review the certificate specified and verify the certificate used was generated by the internally managed server performing the AD CS role.

If the certificate used does not meet the requirements, this is a finding.

References:
CCI-002470
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 25 *******************************

QUESTION         : 26 of 41
TITLE            : CAT II, V-259393, SV-259393r1028387, SRG-APP-000231-DNS-000033
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:11701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:11701
RULE             : The Windows DNS Server must protect secret/private cryptographic keys while at rest.
QUESTION_TEXT    : This check is not applicable for Windows DNS Servers that only host Active Directory-integrated zones or for Windows DNS servers on a classified network.

To verify the cryptographic keys are protected after being backed up to another medium (tape, disk, SAN, etc.), consult with the system administrator to determine the backup policy in place for the DNS server.

If a backup policy does not exist or the backup policy does not specify the protection required for the backup medium to be at or above the level as the server, this is a finding.

References:
CCI-001199
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 26 *******************************

QUESTION         : 27 of 41
TITLE            : CAT II, V-259394, SV-259394r961599, SRG-APP-000428-DNS-000061
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:11901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:11901
RULE             : The Windows DNS Server must only contain zone records that have been validated annually.
QUESTION_TEXT    : This requirement is not applicable for a Windows DNS Server that is hosting only Active Directory (AD)-integrated zones.

For a Windows DNS Server that hosts a mix of AD-integrated zones and manually maintained zones, ask the DNS database administrator if they maintain a separate database with record documentation for the non-AD-integrated zone information. Verify that the record's last verified date is less than one year prior to the date of the review.

If a separate database with record documentation is not maintained for the non-AD-integrated zone information, this is a finding.

If a separate database with record documentation is maintained for the non-AD-integrated zone information, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.

Review the zone records of the non-AD-integrated zones and compare to the separate documentation maintained.

Determine if any records have not been validated in more than a year.

If zone records exist that have not been validated in more than a year, this is a finding.

References:
CCI-002475
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 27 *******************************

QUESTION         : 28 of 41
TITLE            : CAT II, V-259396, SV-259396r961155, SRG-APP-000247-DNS-000036
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:12301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:12301
RULE             : The Windows DNS Server must use DNS Notify to prevent denial of service (DoS) through increase in workload.
QUESTION_TEXT    : Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.

In the list of hosts, review the Name Server (NS) records. Determine if any of the hosts listed as NS records are non-Active Directory (AD)-integrated servers.

If the DNS server hosts only AD-integrated zones and no non-AD-integrated DNS servers are acting as secondary DNS servers for the zones, this check is not applicable.

For a non-AD-integrated DNS server, right-click on the "Forward Lookup Zone" and select "Properties".

On the opened zone's properties box, go to the "Zone Transfers" tab.

On the displayed interface, determine if the "Allow zone transfers" check box is selected.

If the "Allow zone transfers" check box is selected, click the "Notify" button and verify "Automatically notify with Servers" is listed on the "Name Servers" tab.

If the "Notify" button is not enabled for non-AD-integrated DNS servers, this is a finding.

References:
CCI-001095
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 28 *******************************

QUESTION         : 29 of 41
TITLE            : CAT II, V-259401, SV-259401r961158, SRG-APP-000251-DNS-000037
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:13301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:13301
RULE             : The Windows DNS Server must be configured to only allow zone information that reflects the environment for which it is authoritative, including IP ranges and IP versions.
QUESTION_TEXT    : Consult with the system administrator to determine the IP ranges for the environment.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

If not automatically started, initialize the "Server Manager" window by clicking its icon from the bottom left corner of the screen.

Once the "Server Manager" window is initialized, from the left pane, click to select the DNS category.

From the right pane, under the "SERVERS" section, right-click the DNS server.

From the context menu that appears, click "DNS Manager".

On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones".

From the expanded list, click to select and then right-click the zone name.

Review the zone information and compare it to the IP ranges for the environment.

If any zone information is for a different IP range or domain, this is a finding.

References:
CCI-001310
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 29 *******************************

QUESTION         : 30 of 41
TITLE            : CAT II, V-259402, SV-259402r987708, SRG-APP-000451-DNS-000069
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:13501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:13501
RULE             : The Windows DNS Server must follow procedures to re-role a secondary name server as the primary name server if the primary name server permanently loses functionality.
QUESTION_TEXT    : Active Directory (AD)-integrated DNS servers will handle the promotion of a secondary DNS server when a primary DNS server loses functionality.

If all of the DNS servers are AD integrated, this is not a finding.

Consult with the system administrator to determine if there are documented procedures to re-role a non-AD-integrated secondary name server to a master name server role if a master name server loses functionality.

If there are no documented procedures to re-role a non-AD-integrated secondary name server to primary if a master name server loses functionality, this is a finding.

References:
CCI-000366
CCI-002775
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 30 *******************************

QUESTION         : 31 of 41
TITLE            : CAT II, V-259404, SV-259404r1001265, SRG-APP-000333-DNS-000107
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:13901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:13901
RULE             : The HINFO, RP, TXT, and LOC RR types must not be used in the zone SOA.
QUESTION_TEXT    : Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.

Press the Windows key + R and execute "dnsmgmt.msc".

On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones".

From the expanded list, click to select the zone.

Review the zone's RRs and verify HINFO, RP, and LOC RRs are not used. If TXT RRs are used, they must not reveal any information about the organization that could be used for malicious purposes.

If there are any HINFO, RP, LOC, or revealing TXT RRs in any zone hosted by the DNS server, this is a finding.

References:
CCI-002201
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 31 *******************************

QUESTION         : 32 of 41
TITLE            : CAT II, V-259405, SV-259405r987640, SRG-APP-000268-DNS-000039
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:14101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:14101
RULE             : The Windows DNS Server must, when a component failure is detected, activate a notification to the system administrator.
QUESTION_TEXT    : Notification to the system administrator is not configurable in Windows DNS Server. For system administrators to be notified when a component fails, the system administrator would have to implement a third-party monitoring system. At a minimum, the system administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day.

If a third-party monitoring system is not in place to detect and notify the system administrator upon component failures, and the system administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.

References:
CCI-000366
CCI-001328
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 32 *******************************

QUESTION         : 33 of 41
TITLE            : CAT II, V-259407, SV-259407r961734, SRG-APP-000473-DNS-000072
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:14501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:14501
RULE             : The Windows DNS Server must verify the correct operation of security functions upon system startup and/or restart, upon command by a user with privileged access, and/or every 30 days.
QUESTION_TEXT    : This functionality should be performed by an approved and properly configured DOD system monitoring solution. 

If all required DOD products are not installed and /or the installed productions are not enabled, this is a finding.

References:
CCI-002699
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 33 *******************************

QUESTION         : 34 of 41
TITLE            : CAT II, V-259408, SV-259408r961737, SRG-APP-000474-DNS-000073
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:14701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:14701
RULE             : The Windows DNS Server must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
QUESTION_TEXT    : Note: If the only zones hosted are AD-integrated zones, this check is not applicable.

Notification to the system administrator is not configurable in Windows. For the administrator to be notified if functionality of DNSSEC/TSIG has been removed or broken, the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator would need to implement a third-party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day.

If a third-party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of DNSSEC/TSIG has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.

References:
CCI-002702
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 34 *******************************

QUESTION         : 35 of 41
TITLE            : CAT II, V-259409, SV-259409r961185, SRG-APP-000275-DNS-000040
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:14901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:14901
RULE             : The Windows DNS Server must be configured to notify the information system security officer (ISSO), information system security manager (ISSM), or DNS administrator when functionality of DNSSEC/TSIG has been removed or broken.
QUESTION_TEXT    : Note: This check is not applicable for Windows DNS Servers that only host Active Directory-integrated zones or for Windows DNS servers on a classified network.

Notification to the system administrator is not configurable in Windows DNS Server. For the ISSO/ISSM/DNS administrator to be notified if functionality of Secure Updates has been removed or broken, the ISSO/ISSM/DNS administrator would need to implement a third party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day.

If a third-party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of Secure Updates has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.

References:
CCI-001294
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 35 *******************************

QUESTION         : 36 of 41
TITLE            : CAT II, V-259410, SV-259410r1081086, SRG-APP-000176-DNS-000076
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:15101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:15101
RULE             : A unique Transaction Signature (TSIG) key must be generated for each pair of communicating hosts.
QUESTION_TEXT    : This check is not applicable for Windows DNS Servers that only host Active Directory-integrated zones or for Windows DNS servers on a classified network.

Review the DNS implementation. Verify that each pair of communicating hosts has a unique TSIG key (i.e., a separate key for each secondary name server to authenticate transactions with the primary name server, etc.).

If a unique TSIG key has not been generated for each pair of communicating hosts, this is a finding.

If using DNSSEC, this requirement is not applicable.

References:
CCI-000186
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 36 *******************************

QUESTION         : 37 of 41
TITLE            : CAT II, V-259411, SV-259411r961062, SRG-APP-000185-DNS-000021
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:15301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:15301
RULE             : The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
QUESTION_TEXT    : Review the DNS implementation's authentication methods and settings to determine if multifactor authentication is used to gain nonlocal access for maintenance and diagnostics.

If multifactor authentication is not used, this is a finding.

References:
CCI-000877
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 37 *******************************

QUESTION         : 38 of 41
TITLE            : CAT II, V-259413, SV-259413r961863, SRG-APP-000516-DNS-000105
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:15701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:15701
RULE             : The DNS Name Server software must run with restricted privileges.
QUESTION_TEXT    : Review the account under which the DNS software is running and determine the permissions that account has been assigned.

If the account under which the DNS software is running has not been restricted to the least privileged permissions required for the purpose of running the software, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 38 *******************************

QUESTION         : 39 of 41
TITLE            : CAT II, V-259414, SV-259414r1028388, SRG-APP-000516-DNS-000112
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:15901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:15901
RULE             : The private keys corresponding to both the zone signing key (ZSK) and the key signing key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
QUESTION_TEXT    : This check is not applicable for Windows DNS Servers that only host Active Directory-integrated zones or for Windows DNS servers on a classified network. 

Review the DNS name server and documentation to determine if it accepts dynamic updates. 

If dynamic updates are not accepted, verify the private keys corresponding to both the ZSK and KSK are not located on the name server.

If the private keys to the ZSK and/or the KSK are located on the name server, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 39 *******************************

QUESTION         : 40 of 41
TITLE            : CAT II, V-259415, SV-259415r960948, SRG-APP-000125-DNS-000012
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:16101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:16101
RULE             : The Windows DNS Server audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
QUESTION_TEXT    : Consult with the system administrator to determine the backup policy in place for Windows DNS Server.

Review the backup methods used and determine if the backup's methods have been successful at backing up the audit records at least every seven days.

If the organization does not have a backup policy in place for backing up the Windows DNS Server's audit records and/or the backup methods have not been successful at backing up the audit records at least every seven days, this is a finding.

References:
CCI-001348
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 40 *******************************

QUESTION         : 41 of 41
TITLE            : CAT II, V-259416, SV-259416r961863, SRG-APP-000516-DNS-000093
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.server:testaction:16301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.server:question:16301
RULE             : In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
QUESTION_TEXT    : Consult with the system administrator to review the internal Windows DNS Server's firewall policy.

The inbound TCP and UDP ports 53 rule should be configured to only allow hosts from the internal network to query the internal DNS server.

If the firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall.

If neither the DNS server's firewall policy nor the network firewall is configured to block external hosts from querying the internal DNS server, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 41 *******************************

