TickYouOff
Sign in
Back
🔒

Windows Server DNS STIG Checklist (Ver 2, Rel 3)

Hard 18 items · 2 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist implements the Microsoft Windows Server Domain Name System (DNS) STIG Ver 2, Rel 3 to help secure Windows DNS deployments. It’s intended for system administrators, security engineers, and compliance teams managing AD-integrated, authoritative, or caching Windows DNS servers.

Source: https://ncp.nist.gov/checklist/1080

Progress
0 / 18
  1. Apply the Microsoft Windows DNS STIG baseline and latest cumulative updates — Install official STIG settings and Windows updates to meet compliance baseline.
  2. Backup DNS server configuration and zone data — Export zones and back up %systemroot%system32dns and AD-integrated records.
  3. Restrict zone transfers to authorized IP addresses — Allow transfers only to listed secondary servers or management hosts.
  4. Configure TSIG authentication for zone transfers — Use transaction signatures (TSIG) for authenticated transfers.
  5. Disable recursion on authoritative-only DNS servers — Turn off recursion if server does not serve recursive resolver clients.
  6. Configure forwarders and conditional forwarders for resolution — Point recursive queries to trusted forwarders and isolate internal resolution.
  7. Implement DNSSEC for zone authentication and integrity — Enable DNSSEC support and policies for all applicable zones per STIG.
  8. Sign DNS zones with DNSSEC keys — Use approved algorithms and key lengths for zone signing.
  9. Configure automated key rollover (RFC5011) for trust anchors — Enable and schedule secure automated trust anchor updates.
  10. Enable DNSSEC validation on resolvers — Turn on validation to reject signatures that fail verification.
  11. Restrict or require secure dynamic updates for AD-integrated zones — Allow only secure, authenticated updates where needed.
  12. Enable and configure DNS logging and auditing — Log queries, zone transfers, and administrative changes for audits.
  13. Limit DNS Server service account privileges and apply least privilege — Run DNS service with minimal rights and remove unnecessary permissions.
  14. Harden network access: enforce firewall rules and block port 53 from untrusted networks — Allow DNS traffic only from known networks and authorized clients.
  15. Enable response rate limiting or other flood protections — Mitigate DNS amplification and reflection attacks with RRL or controls.
  16. Implement zone aging and scavenging to remove stale records — Configure timestamps and scavenging to keep authoritative data current.
  17. Regularly review, test, and scan DNS configurations for STIG compliance — Perform periodic assessments, automated scans, and corrective actions.
  18. Document DNS configuration, STIG version, change history, and support contacts — Keep records of settings, changes, and the DISA contact/email for updates.
Sign in to save
📝 My Notes