Checklist Summary:

This Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide (STIG) is published as a tool to secure Microsoft Windows DNS implementations. This STIG will be used for all Windows DNS servers, whether they are Active Directory (AD)-integrated, authoritative file-backed DNS zones, a hybrid of both, or a recursive caching server. This STIG must also be used for Windows DNS servers that are a secondary name server for zones whose master authoritative server is non-Windows. The direction is to ensure the authentication and integrity of Windows Server DNS data by applying DNS Security Extensions (DNSSEC) as specified by the Internet Engineering Task Force (IETF) Requests for Comment (RFC4641, RFC5011, RFC5155, RFC4033, RFC4034, RFC4035, and RFC3833) and outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-81, “Secure Domain Name System (DNS) Deployment Guide.” NIST SP 800-81 rev 2, “Secure Domain Name System (DNS) Deployment Guide,” has also been a resource in the development of this STIG. The DNS Server service has greatly enhanced support for DNSSEC in Windows Server DNS. Therefore, these STIG settings are required for all Windows DNS implementations.

Checklist Role:

• Active Directory Server
• DNS Server

Known Issues:

Not provided.

Target Audience:

Parties within the DOD and federal government’s computing environments can obtain the applicable STIG from the DOD Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DOD Certificates can obtain the STIG from https://public.cyber.mil/.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

Department of Defense Instruction (DODI) 8500.01

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DOD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Point of Contact:

STIGs provide configurable operational security guidance for products being used by the DOD. STIGs, along with vendor confidential documentation, also provide a basis for assessing compliance with cybersecurity controls/control enhancements, which supports system assessment and authorization (A&A) under the DOD Risk Management Framework (RMF). Department of Defense AOs may request available vendor confidential documentation for a product that has a STIG for product evaluation and RMF purposes from disa.stig_spt@mail.mil. This documentation is not published for general access to protect the vendor’s proprietary information.

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

new checklist - 1/29/24
updated to final - 2/29/24

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 02/29/2024