U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Microsoft Windows 2012 Server DNS STIG Ver 2, Rel 5 Checklist Details (Checklist Revisions)

Supporting Resources:


Target CPE Name
Microsoft Windows Server 2012 R2 cpe:/o:microsoft:windows_server_2012:r2 (View CVEs)

Checklist Highlights

Checklist Name:
Microsoft Windows 2012 Server DNS STIG
Checklist ID:
Ver 2, Rel 5
Review Status:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:

Checklist Summary:

This Microsoft Windows 2012 Server Domain Name System (DNS) STIG is published as a tool to secure Microsoft Windows 2012 DNS implementations. This STIG will be used for all Windows 2012/2012 R2 DNS servers, whether Active Directory-integrated, authoritative file-backed DNS zones, a hybrid of both, or as a recursive caching server. This STIG should also be used for Windows 2012 DNS servers being used as a secondary name server for zones whose master authoritative server is non-Windows. The direction is to ensure Windows 2012 DNS data’s authentication and integrity through the means of applying DNS Security Extensions (DNSSEC), specified by the Internet Engineering Task Force (IETF) Requests for Comment (RFC4641, RFC5011, RFC5155, RFC4033, RFC4034, RFC4035, and RFC3833) and as outlined in the NIST Special Publication (SP) 800-81, “Secure Domain Name System (DNS) Deployment Guide”. In addition, the NIST SP 800-81 rev 2, “Secure Domain Name System (DNS) Deployment Guide” has been a resource in the development of this Windows 2012 DNS STIG. As the DNS Server service in Windows Server 2012 has greatly enhanced support for DNSSEC, these STIG settings are required for all Windows 2012/2012 R2 DNS implementations.

Checklist Role:

  • Domain Name Server
  • DNS Server
  • Desktop and Server Operating System

Known Issues:

Not Provided

Target Audience:

This checklist is primarily for IT generalists, security specialists, network architects, and other IT professionals and consultants who plan application or infrastructure development and deployments of Windows 8 and BitLocker for both desktop and laptop client computers in an enterprise environment.

Target Operational Environment:

  • Managed

Testing Information:

Not Provided

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01


Not Provided


Not Provided

Product Support:

Not Provided

Point of Contact:



Not Provided


Not Provided

Change History:

Version 1, Release 2 - 29 October 2015
Changed status from "Under Review" to "Final" - 04 December 2015
Version 1, Release 3 - 2 February 2016
3/11/2016 - Promote to Final
updated to - v1, r4 - 07/22/2016
Updated to FINAL - 09/12/2016
Updated to Ver 1, Rel 5 - 01/27/2017
Updated to FINAL - 03/13/2017
Updated to Version 1, Release 6 - 04/28/2017
Updated to FINAL - 05/30/2017
Updated URL to reflect change to the DISA website - http --> https
Updated to Version 1, Release 8 - 02/16/2018
Updated to FINAL - 3/18/2018
updated to v1,r9 - 4/25/18
Updated to FINAL - 5/25/18
updated to Version 1, Release 10 - 7/24/18
Updated to FINAL - 8/24/18
Updated to Version 1, Release 11 - 1/23/19
Updated to FINAL - 2/19/19
Updated URLs - 6/12/19
Updated URLs - 8/12/2019
updated URLs per DISA - 1/21/2020
corrected reference title - 1/22/2020
Updated URLs per DISA - 4/24/2020
updated URLs - 8/3/2020
updated URLs - 10/27/2020
updated URLs - 4/28/2021
Updated resource per DISA - 7/29/21
Updated resource per DISA - 11/26/21
Updated resource per DISA - 5/29/22


URL Description


Reference URL Description

NIST checklist record last modified on 05/29/2022