| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-259382 | CAT II | MONT-DC-003 | Microsoft Windows Server Domain Name Sys... | The Windows DNS Server must be configured to valid... | - | |||
Check TextNote: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: PS C:\> Get-DnsServerResourceRecord -ZoneName adatum.com -RRType DS Replace "adatum.com" with the parent zone on the DNS server being evaluated. HostName RecordType Timestamp TimeToLive RecordData -------- ---------- --------- ---------- ---------- corp DS 0 01:00:00 [58555][Sha1][RsaSha1NSec3] corp DS 0 01:00:00 [58555][Sha256][RsaSha1NSec3] corp DS 0 01:00:00 [63513][Sha1][RsaSha1NSec3] corp DS 0 01:00:00 [63513][Sha256][RsaSha1NSec3] If the results do not show the DS records for the child domain(s), this is a finding. In the previous example, DS records for the child zone, corp.adatum.com, were imported into the parent zone, adatum.com, by using the DSSET file in the c:\windows\system32\dns directory. The DSSET file was located in this directory because the local DNS server is the Key primary for the child zone. If the Key Master DNS server for a child zone is not the same computer as the primary authoritative DNS server for the parent zone where the DS record is being added, the DSSET file must be obtained for the child zone and made available to the primary authoritative server for the parent zone. Alternatively, the DS records can be added manually. Fix TextA DS record must be added manually or imported. The DSSET is automatically added as a file to the Key primary when a zone is signed. This file can be used with the "Import-DnsServerResourceRecordDS" cmdlet to import DS records to the parent zone. Example: PS C:\> Import-DnsServerResourceRecordDS -ZoneName adatum.com -DSSetFile "c:\windows\system32\dns\dsset-corp.adatum.com" Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: A14A79735BD283F3F019111E748C74455976803D ~~~~~ All zones hosted on this server are Active Directory-integrated so this requirement is NA.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl
Scan Date: 2026-01-14T12:57:38.179760
Technology Area: Domain Name System
|
||||||||