| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-259394 | CAT II | MONT-DC-003 | Microsoft Windows Server Domain Name Sys... | The Windows DNS Server must only contain zone reco... | - | |||
Check TextThis requirement is not applicable for a Windows DNS Server that is hosting only Active Directory (AD)-integrated zones. For a Windows DNS Server that hosts a mix of AD-integrated zones and manually maintained zones, ask the DNS database administrator if they maintain a separate database with record documentation for the non-AD-integrated zone information. Verify that the record's last verified date is less than one year prior to the date of the review. If a separate database with record documentation is not maintained for the non-AD-integrated zone information, this is a finding. If a separate database with record documentation is maintained for the non-AD-integrated zone information, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the zone records of the non-AD-integrated zones and compare to the separate documentation maintained. Determine if any records have not been validated in more than a year. If zone records exist that have not been validated in more than a year, this is a finding. Fix TextCreate a separate database to maintain record documentation for non-AD-integrated zones. Develop a procedure to validate annually all zone information on the DNS server against the separately maintained database. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Select the zone records that have not been validated in more than a year and revalidate. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA.
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl
Scan Date: 2026-01-14T12:57:38.179760
Technology Area: Domain Name System
|
||||||||