| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2022 10:22:28 PM Signed: 10/22/2022 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the Domain Admin or Enterprise Admin account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.