| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-259403 | CAT II | MONT-DC-003 | Microsoft Windows Server Domain Name Sys... | The DNS Name Server software must be configured to... | - | |||
Check TextThe "EnableVersionQuery" property controls what version information the DNS server will respond with when a DNS query with class set to "CHAOS" and type set to "TXT" is received. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Open a command window and execute the command: nslookup <enter> Note: Confirm the Default Server is the DNS server on which the command is being run. At the nslookup prompt, type: set type=TXT <enter> set class=CHAOS <enter> version.bind <enter> If the response returns something similar to text = "Microsoft DNS 6.1.7601 (1DB14556)", this is a finding. Fix TextTo disable the version being returned in queries, execute the following command: dnscmd /config /EnableVersionQuery 0 <enter> Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 61E8A883CEBE6190A40D2710E426BE2D03B1A4D8 ~~~~~ EnableVersionQuery: 0
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl
Scan Date: 2026-01-14T12:57:38.179760
Technology Area: Domain Name System
|
||||||||