| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Note: Sinkhole name servers host records that are manually added and for which the name server is not authoritative. It is configured and intended to block resolvers from reaching a destination by directing the query to a sinkhole. If the sinkhole name server is not authoritative for any zones and serves only as a caching/forwarding name server, this check is not applicable. The non-Active Directory (AD)-integrated, standalone, caching Windows DNS Server must be configured to be DNSSEC aware. When performing caching and lookups, the caching name server must be able to obtain a zone signing key (ZSK) DNSKEY record and corresponding RRSIG record for the queried record. It will use this information to compute the hash for the hostname being resolved. The caching name server decrypts the RRSIG record for the hostname being resolved with the zone's ZSK to get the RRSIG record hash. The caching name server compares the hashes and ensures they match. If the non-AD-integrated, standalone, caching Windows DNS Server is not configured to be DNSSEC aware, this is a finding.
Fix Text
Implement DNSSEC on all non-AD-integrated, standalone, caching Windows DNS Servers to ensure the caching server validates signed zones when resolving and caching.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Note: This check is not applicable if Windows DNS Server is only serving as a caching server and does not host any zones authoritatively. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the NS records for the zone. Verify each of the name servers, represented by the NS records, is active. At a command prompt on any system, type: nslookup <enter>; At the nslookup prompt, type: server ###.###.###.### <enter>; (where the ###.###.###.### is replaced by the IP of each NS record) Enter a FQDN for a known host record in the zone. If the NS server does not respond at all or responds with a nonauthoritative answer, this is a finding.
Fix Text
If DNS servers are Active Directory (AD) integrated, troubleshoot and remedy the replication problem where the nonresponsive name server is not being updated. If DNS servers are not AD integrated, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the NS records for the zone. Select the NS record for the nonresponsive name server and remove the record.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select each zone. Review the RRs for each zone and verify all of the DNSSEC record types are included for the zone. Note: The DS (Delegation Signer) record should also exist but the requirement for it is validated under WDNS-22-000054. RRSIG (Resource Read Signature) DNSKEY (Public Key) NSEC3 (Next Secure 3) If the zone does not show all the DNSSEC record types, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone", using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Once resource records are received by a DNS server via a secure dynamic update, the resource records will automatically become signed by DNSSEC if the zone was originally signed by DNSSEC. Authenticity of query responses for resource records dynamically updated can be validated by querying for whether the zone/record is signed by DNSSEC. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace 131.77.60.235 with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an Expirations, date signed, signer, and signature, similar to the following: Name : www.zonename.mil QueryType : RRSIG TTL : 189 Section : Answer TypeCovered : CNAME Algorithm : 8 LabelCount : 3 OriginalTtl : 300 Expiration : 11/21/2014 10:22:28 PM Signed : 10/22/2014 10:22:28 PM Signer : zonename.mil Signature : {87, 232, 34, 134...} Name : origin-www.zonename.mil QueryType : A TTL : 201 Section : Answer IP4Address : 156.112.108.76 If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5B46D5B8BFB09AAA7562E5B84BB05F605A0A79D3 ~~~~~ Forwarders in use and root hints are NOT disabled. RecursionEnable: True UseRootHint: True [finding] Forwarders: --------------------------- 164.231.70.121 : MNOCE-DC-01.ASHORE.MSC.NAVY.MIL 164.231.102.4 : MNOCW-DC-01.ASHORE.MSC.NAVY.MIL Comments |
|||||
Check Text
Note: If the Windows DNS Server is in the classified network, this check is not applicable. If forwarders are not being used, this is not applicable. Note: In Windows DNS Server, if forwarders are configured, the recursion setting must also be enabled because disabling recursion will disable forwarders. If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". Click the "Forwarders" tab. Review the IP address(es) for the forwarder(s) use. If the DNS server does not forward to another DOD-managed DNS server or to the DOD ERS, this is a finding. If "Use root hints if no forwarders are available" is selected, this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". Click the "Forwarders" tab. Replace the forwarders being used with another DOD-managed DNS server or the DOD ERS. Deselect "Use root hints if no forwarders are available".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9204B7D69DAD3DA8658D90BB56D2DB12C1A647F ~~~~~ Configured root hints: ---------------------- NameServer: A.ROOT-SERVERS.NET. IPv4Address: 198.41.0.4 IPv6Address: 2001:503:ba3e::2:30 NameServer: B.ROOT-SERVERS.NET. IPv4Address: 192.228.79.201 IPv6Address: 2001:500:84::b NameServer: C.ROOT-SERVERS.NET. IPv4Address: 192.33.4.12 IPv6Address: 2001:500:2::c NameServer: D.ROOT-SERVERS.NET. IPv4Address: 199.7.91.13 IPv6Address: 2001:500:2d::d NameServer: E.ROOT-SERVERS.NET. IPv4Address: 192.203.230.10 IPv6Address: NameServer: F.ROOT-SERVERS.NET. IPv4Address: 192.5.5.241 IPv6Address: 2001:500:2f::f NameServer: G.ROOT-SERVERS.NET. IPv4Address: 192.112.36.4 IPv6Address: NameServer: H.ROOT-SERVERS.NET. IPv4Address: 198.97.190.53 IPv6Address: 2001:500:1::53 NameServer: I.ROOT-SERVERS.NET. IPv4Address: 192.36.148.17 IPv6Address: 2001:7fe::53 NameServer: J.ROOT-SERVERS.NET. IPv4Address: 192.58.128.30 IPv6Address: 2001:503:c27::2:30 NameServer: K.ROOT-SERVERS.NET. IPv4Address: 193.0.14.129 IPv6Address: 2001:7fd::1 NameServer: L.ROOT-SERVERS.NET. IPv4Address: 199.7.83.42 IPv6Address: 2001:500:9f::42 NameServer: M.ROOT-SERVERS.NET. IPv4Address: 202.12.27.33 IPv6Address: 2001:dc3::35 Comments |
|||||
Check Text
Note: If the Windows DNS Server is in the classified network, this check is not applicable. Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Select the "Root Hints" tab. Verify "Root Hints" is empty or only has entries for internal zones under "Name servers:". All internet root server entries must be removed. If "Root Hints" is not empty or entries on the "Root Hints" tab under "Name servers:" are external to the local network, this is a finding.
Fix Text
Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Select the "Root Hints" tab. Remove the root hints from the DNS Manager, the CACHE.DNS file, and from Active Directory for name servers outside the internal network. Replace the existing root hints with new root hints of internal servers. If the DNS server is forwarding, click to select the "Do not use recursion for this domain"" check box on the "Forwarders" tab in DNS Manager to ensure the root hints will not be used.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 7EC5A18BF9192AC333D4CC14D51C880FDD39A535 ~~~~~ The following do not have appropriate permissions: C:\ProgramData\Microsoft\Crypto\Keys\125a35bfeec08eb6cf92450e6fb55cd6_e6f0542d-9c29-4936-9687-87e94910a1b8 Principal: CREATOR OWNER Access: FullControl Compliant: False ------------------------------------------------------------------------ C:\ProgramData\Microsoft\Crypto\Keys\4f35ff067d87a24bf1990e568e5f967f_e6f0542d-9c29-4936-9687-87e94910a1b8 Principal: CREATOR OWNER Access: FullControl Compliant: False ------------------------------------------------------------------------ C:\ProgramData\Microsoft\Crypto\Keys\5aed67ae076fb2f5f53881c402ba0845_e6f0542d-9c29-4936-9687-87e94910a1b8 Principal: CREATOR OWNER Access: FullControl Compliant: False ------------------------------------------------------------------------ C:\ProgramData\Microsoft\Crypto\Keys\81994d8c11e3c9f13762296e22c36316_e6f0542d-9c29-4936-9687-87e94910a1b8 Principal: CREATOR OWNER Access: FullControl Compliant: False ------------------------------------------------------------------------ C:\ProgramData\Microsoft\Crypto\Keys\a4f113d03572f30f4cb27719b2babfc6_e6f0542d-9c29-4936-9687-87e94910a1b8 Principal: CREATOR OWNER Access: FullControl Compliant: False ------------------------------------------------------------------------ Comments |
|||||
Check Text
Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto\Keys Note: If the folder above does not exist, this is not applicable. Verify the permissions on the folder, subfolders, and files are limited to SYSTEM and Administrators FULL CONTROL. In File Explorer: For each folder, subfolder, and file, view the Properties. Select the "Security" tab, and then click "Advanced". Default permissions: C:\ProgramData\Microsoft\Crypto\Keys Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders and files Administrators - Full control - This folder, subfolders and files Everyone - Read - This folder, subfolders, and files Alternately, use icacls: Open a command prompt and enter "icacls" followed by the directory. For each folder, subfolder, and file, view the Properties. "icacls %ALLUSERSPROFILE%\Microsoft\Crypto\Keys" C:\ProgramData\microsoft\crypto\keys NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) Everyone:(OI)(CI)(R) Successfully processed 1 files; Failed processing 0 files If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto\Keys folder, subfolders, and files, this is a finding.
Fix Text
Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto\Keys Modify permissions on the keys folder, subfolders, and files to be limited to SYSTEM and Administrators FULL CONTROL, and to limit all other users/groups to READ. If additional permissions are needed, it must be documented and approved by the information system security officer (ISSO) or information system security manager (ISSM).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Notification to the system administrator is not configurable in Windows DNS Server. For system administrators to be notified when a component fails, the system administrator would have to implement a third-party monitoring system. At a minimum, the system administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. If a third-party monitoring system is not in place to detect and notify the system administrator upon component failures, and the system administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding.
Fix Text
Implement a third-party monitoring system to detect and notify the system administrator upon component failure or, at a minimum, document and implement a procedure to review the diagnostic logs on a routine basis every day.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
This functionality should be performed by an approved and properly configured DOD system monitoring solution. If all required DOD products are not installed and /or the installed productions are not enabled, this is a finding.
Fix Text
Install an approved DOD system monitoring solution.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the DNS implementation's authentication methods and settings to determine if multifactor authentication is used to gain nonlocal access for maintenance and diagnostics. If multifactor authentication is not used, this is a finding.
Fix Text
Configure the DNS system to use multifactor authentication for nonlocal access for maintenance and diagnostics.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be OPEN on 10/23/2025 ResultHash: 986E2AA371EE57C0BE58CB7A9BFDD5C0FC13FA58 ~~~~~ File System: No Auditing Comments |
|||||
Check Text
Use the AuditPol tool to review the current Audit Policy configuration: Open a Command Prompt with elevated privileges ("Run as Administrator"). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Object Access >> File System - Failure
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System with "Failure" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Consult with the system administrator to determine the backup policy in place for Windows DNS Server. Review the backup methods used and determine if the backup's methods have been successful at backing up the audit records at least every seven days. If the organization does not have a backup policy in place for backing up the Windows DNS Server's audit records and/or the backup methods have not been successful at backing up the audit records at least every seven days, this is a finding.
Fix Text
Document and implement a backup policy to back up the DNS server's audit records at least every seven days.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be OPEN on 10/23/2025 ResultHash: 0B575F416B20B37BBFDE2A14E481ED5B2F0C8C53 ~~~~~ Mode: Disable Comments |
|||||
Check Text
As an administrator, run PowerShell and enter the following command: "Get-DnsServerResponseRateLimiting". If "Mode" is not set to "Enable", this is a finding.
Fix Text
As an administrator, run PowerShell and enter the command "Set-DnsServerResponseRateLimiting" to apply default values or "Set-DnsServerResponseRateLimiting -WindowInSec 7 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8". These settings are just an example. For more information, go to: https://learn.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverresponseratelimiting?view=windowsserver2022-ps
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6DFE955F064B250F5DB20A0A73767541A3B1FBEC ~~~~~ All Active Directory-Integrated Forward Lookup Zones have Dynamic Updates configured to 'Secure Only'. Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Once selected, right-click the name of the zone. From the displayed context menu, click the "Properties" option. On the opened domain's properties box, click the "General" tab. Verify the "Type:" is "Active Directory-Integrated". Verify "Dynamic updates" has "Secure only" selected. If the zone is "Active Directory-Integrated" and "Dynamic updates" are not configured for "Secure only", this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Once selected, right-click the name of the zone. From the displayed context menu, click the "Properties" option. On the opened domain's properties box, click the "General" tab. If the "Type:" is not "Active Directory-Integrated", configure the zone for Active Directory integration. Select "Secure only" from the "Dynamic updates:" drop-down list.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 716311E4FBAAECFAAD34DF4E30AF5917CCF6742B ~~~~~ EventLogLevel: 4 - All events Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Click the "Event Logging" tab. By default, all events are logged. Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. If not automatically started, initialize the "Server Manager" window by clicking its icon from the bottom left corner of the screen. On the opened "Server Manager" window, from the left pane, click to select "DNS". From the right pane, under the "SERVERS" section, right-click the DNS server. From the displayed context menu, click the "DNS Manager" option. Click the "Event Logging" tab. Select the "Errors and warnings" or "All events" option. Click "Apply". Click "OK".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Windows DNS Servers hosting Active Directory (AD)-integrated zones transfer zone information via AD replication. Windows DNS Servers hosting non-AD-integrated zones as a secondary name server and/or not hosting AD-integrated zones use zone transfer to sync zone data. If the Windows DNS Server hosts only AD-integrated zones and all other name servers for the zones hosted are Active Directory Domain Controllers, this requirement is not applicable. If the Windows DNS Server is not an Active Directory Domain Controller or is a secondary name server for a zone with a non-AD-integrated name server as the master, this requirement is applicable. Administrator notification is only possible if a third-party event monitoring system is configured or, at a minimum, there are documented procedures requiring the administrator to review the DNS logs on a routine, daily basis. If a third-party event monitoring system is not configured or a document procedure is not in place requiring the administrator to review the DNS logs on a routine, daily basis, this is a finding.
Fix Text
To detect and notify the administrator, configure a third-party event monitoring system or, at a minimum, document and implement a procedure to require the administrator to check the DNS logs on a routine, daily basis.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 716311E4FBAAECFAAD34DF4E30AF5917CCF6742B ~~~~~ EventLogLevel: 4 - All events Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Click the "Event Logging" tab. By default, all events are logged. Verify "Errors and warnings" or "All events" is selected. If any option other than "Errors and warnings" or "All events" is selected, this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". Right-click the DNS server and select "Properties". Click the "Event Logging" tab. By default, all events are logged. Select the "Errors and warnings" or "All events" option. Click "Apply". Click "OK".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8C3CA6264D37EAFBFDCFA35DB1F7281C237588D2 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Exchange Servers S-1-5-21-1199390858-2101972093-2013113664-1129 S-1-5-21-270843172-1021756428-1876623829-2158 C:\windows\System32\Winevt\Logs\DNS Server.evtx --------------------- Default permissions are in place. Current ACL: NT SERVICE\EventLog:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) --------------------- Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: Administrators Auditors (if the site has an Auditors group that further limits this privilege) If an application requires this user right, this is not a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords. Verify the permissions on the DNS logs. Standard user accounts or groups must not have greater than READ access. The default locations are: DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx Use PowerShell and go to PS C:\Windows\System32\winevt\logs> icacls.exe 'dns server .evtx' The default permissions listed below satisfy this requirement: Eventlog - Full Control (I)(F) SYSTEM - Full Control (I)(F) Administrators (I)(F) If the permissions for these files are not as restrictive as the access control lists above, this is a finding.
Fix Text
Configure the permissions on the DNS logs. Standard user accounts or groups must not have greater than READ access. The default permissions listed below satisfy this requirement: Eventlog - Full Control SYSTEM - Full Control Administrators - Full Control The default locations are: DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. View the validity period for the DS RR. If the validity period for the DS RR for the child domain is less than two days (48 hours) or more than one week (168 hours), this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click on the zone and choose DNSSEC >> Properties. On the ZSK tab, for DS signature validity period (hours), choose more than 48 and less than 168.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Windows DNS Servers that are Active Directory (AD) integrated must be located where required to meet the AD services. If all the Windows DNS Servers are AD integrated, this check is not applicable. If any or all the Windows DNS Servers are standalone and non-AD integrated, verify their geographic location with the system administrator. If any or all of the authoritative name servers are located in the same building as the primary authoritative name server and the primary authoritative name server is not "hidden", this is a finding.
Fix Text
For non-AD integrated Windows DNS Servers, distribute secondary authoritative servers to be in different buildings from the primary authoritative server.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 1A3871BA6DF0E6D02106B9E7ADB7A71A5DBCE497 ~~~~~ Forwarders are configured and enabled so this requirement is NA. RecursionEnable: True Forwarders: --------------------------- 164.231.70.121 : MNOCE-DC-01.ASHORE.MSC.NAVY.MIL 164.231.102.4 : MNOCW-DC-01.ASHORE.MSC.NAVY.MIL Comments |
|||||
Check Text
Note: In Windows DNS Server, if forwarders are configured, the recursion setting must also be enabled because disabling recursion will disable forwarders. If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled. The root hints configuration requirement is addressed in WDNS-22-000012. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". Click the "Forwarders" tab. If forwarders are enabled and configured, this check is not applicable. If forwarders are not enabled, click the "Advanced" tab and verify the "Disable recursion (also disables forwarders)" check box is selected. If forwarders are not enabled and configured, and the "Disable recursion (also disables forwarders)" check box in the "Advanced" tab is not selected, this is a finding. This is not applicable for classified networks.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select "Properties". Click the "Forwarders" tab. If forwarders are not being used, click the "Advanced" tab. Select the "Disable recursion (also disables forwarders)" check box.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: If the Windows DNS Server hosts only Active Directory (AD)-integrated zones and does not host any file-based zones, this is not applicable. Note: This requirement does not apply for classified environments. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2022 10:22:28 AM Signed: 10/22/2022 10:22:28 AM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or Windows DNS Servers on a classified network. Log on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Properties. Select the "KSK" tab. Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. Select the "ZSK" tab. Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. If either the "KSK" or "ZSK" tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding.
Fix Text
Log on to the DNS server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Properties. Select the "KSK" tab. For the "DNSKEY RRSET signature validity period (hours):" setting, configure to a value between 48 and 168 hours. Select the "ZSK" tab. For the "DNSKEY signature validity period (hours):" setting, configure to a value between 48 and 168 hours.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. Type the following command, where example.com is replaced with the zone hosted on the DNS Server: PS C:\> Get-DnsServerResourceRecord -ZoneName example.com <enter> All of the zone's resource records will be returned. This should include the NSEC3 RRs, as depicted below. If NSEC3 RRs are not returned for the zone, this is a finding. 2vf77rkf63hrgismnuvnb8... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C] 7ceje475rse25gppr3vphs... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C]
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select DNSSEC >> Sign the Zone. Re-sign the zone using an NSEC3 algorithm (RSA/SHA-1 (NSEC3), RSA/SHA-256, RSA/SHA-512).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Windows DNS Servers that are Active Directory (AD) integrated must be located where required to meet the Active Directory services. If all of the Windows DNS Servers are AD integrated, this check is not applicable. If any or all the Windows DNS Servers are standalone and non-AD integrated, verify their geographic location with the system administrator. If all of the authoritative name servers are located on the same network segment and the primary authoritative name server is not "hidden", this is a finding.
Fix Text
For non-AD-integrated Windows DNS Servers, distribute secondary authoritative servers on separate network segments from the primary authoritative server.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: Due to the manner in which Active Directory replication increments SOA records for zones when transferring zone information via Active Directory (AD) replication, this check is not applicable for AD-integrated zones. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the SOA information for the zone and obtain the Serial Number. Access each secondary name server for the same zone and review the SOA information. Verify the Serial Number is the same on all authoritative name servers. If the Serial Number is not the same on one or more authoritative name servers, this is a finding.
Fix Text
If all DNS servers are AD integrated, determine why the replication is not taking place to the out-of-sync secondary name servers and mitigate the issue. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Initiate a zone transfer to all secondary name servers for the zone.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the zone's RRs in the right windowpane. Review the DNSKEY encryption in the Data column. Example: [DNSKEY][RsaSha1][31021] Confirm the encryption algorithm specified in the DNSKEY's data is at RsaSha1, at a minimum. If the specified encryption algorithm is not RsaSha1 or stronger, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. For each zone, review the records. If any RRs on an internal DNS server resolve to IP addresses located outside the internal DNS server's network, this is a finding. If any RRs on an external DNS server resolve to IP addresses located inside the network, this is a finding.
Fix Text
Remove any RRs from the internal zones for which the resolution is for an external IP address. Remove any RRs from the external zones for which the resolution is for an internal IP address.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Consult with the system administrator to review the external Windows DNS Server's DOD approved firewall policy. The inbound TCP and UDP ports 53 rule should be configured to only restrict IP addresses from the internal network. If the DOD-approved firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall. If neither the DNS server's DOD approved firewall policy nor the network firewall is configured to block internal hosts from querying the external DNS server, this is a finding.
Fix Text
Configure the external DNS server's firewall policy, or the network firewall, to block queries from internal hosts.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine if the authoritative primary name server is Active Directory (AD) integrated. Determine if all secondary name servers for every zone for which the primary name server is authoritative are AD-integrated in the same Active Directory. If the authoritative primary name server is AD integrated and all secondary name servers are part of the same AD, this check is not a finding because AD handles the replication of DNS data. If one or more of the secondary name servers are non-AD integrated, verify the primary name server is configured to only send zone transfers to a specific list of secondary name servers. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select "Properties". Select the "Zone Transfers" tab. If the "Allow zone transfers:" check box is not selected, this is not a finding. If the "Allow zone transfers:" check box is selected, verify either "Only to servers listed on the Name Server tab" or "Only to the following servers" is selected. If the "To any server" option is selected, this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select "Properties". Select the "Zone Transfers" tab. Select the "Only to servers listed on the Name Server tab" or "Only to the following servers" check box or deselect the "Allow zone transfers" check box. Click "OK".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
For an Active Directory (AD)-integrated DNS implementation, this is not applicable by virtue of being compliant with the Windows 2022 AD STIG because DNS data within an AD-integrated zone is kept within the Active Directory. For a file-based Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select each zone. Right-click each zone and select "Properties". Select the "Security" tab. Review the permissions applied to the zone. No group or user should have greater than READ privileges other than the DNS administrators and the system service account under which the DNS Server Service is running. If any other account/group has greater than READ privileges, this is a finding.
Fix Text
For a file-back Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select each zone. Right-click each zone and select "Properties". Select the "Security" tab. Downgrade to READ privileges any group or user that has greater than READ privileges other than the DNS administrators and the system service account under which the DNS Server Service is running.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, review each zone. Consult with the DNS Admin to determine if any of the zones also have hostnames that need to be resolved from the external network. If the zone is split between internal and external networks, verify separate DNS servers have been implemented for each network. If internal and external DNS servers have not been implemented for zones that require resolution from both the internal and external networks, this is a finding.
Fix Text
Configure separate DNS servers for each of the external and internal networks.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Confirm with the DNS administrator that the hosts defined in the zone files do not resolve to hosts in another zone with its fully qualified domain name. The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. Additional exceptions are CNAME records in a multidomain Active Directory environment pointing to hosts in other internal domains in the same multidomain environment. If resource records are maintained that resolve to a fully qualified domain name in another zone, and the usage is not for resource records resolving to hosts that are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms with a documented and approved mission need, this is a finding.
Fix Text
Remove any resource records in a zone file if the resource record resolves to a fully qualified domain name residing in another zone.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the resource records to confirm there are no CNAME records older than six months. The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDNs) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. (Authorizing Official approval of use of a commercial cloud offering would satisfy this requirement.) Additional exceptions are CNAME records in a multidomain Active Directory environment pointing to hosts in other internal domains in the same multidomain environment. If there are zone-spanning (i.e., zones of lesser security) CNAME records older than six months and the CNAME records resolve to anything other than fully qualified domain names for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party CDNs or cloud computing platforms with an AO-approved and documented mission need, this is a finding.
Fix Text
Remove any zone-spanning CNAME records that have been active for more than six months, which are not supporting zone delegations, CNAME records supporting a system migration, or CNAME records pointing to third-party CDNs or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated (AO approval of use of a commercial cloud offering would satisfy this requirement).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 90BAF3DAEA7FF61AE5467FA235A328CC6E74B6C9 ~~~~~ No Forward Lookup Zones contain IPv6 link-local IP addresses. Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Expand the "Forward Lookup Zones" folder. Expand each zone folder and examine the host record entries. The third column titled "Data" will display the IP. Verify this column does not contain any IP addresses that begin with the prefixes "FE8", "FE9", "FEA", or "FEB". If any nonroutable IPv6 link-local scope addresses are in any zone, this is a finding.
Fix Text
Remove any link-local addresses and replace with appropriate Site-Local or Global scope addresses.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, select each zone and examine the host record entries. The third column titled "Data" will display the IP. Determine if any contain both IPv4 and IPv6 addresses. If any hostnames contain both IPv4 and IPv6 addresses, confirm with the system administrator that the actual hosts are in a dual stack. If any zones contain hosts with both IPv4 and IPv6 addresses but are determined to be not in a dual stack, this is a finding.
Fix Text
Remove any IPv6 records for hosts that are not in a dual stack configuration.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: A14A79735BD283F3F019111E748C74455976803D ~~~~~ All zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This requirement applies to any Windows DNS Server that hosts non-AD-integrated zones, even if the DNS servers host AD-integrated zones, too. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". Click "Default Domain Controllers Policy" and click "OK". In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. Click "Connection Security Rules". Confirm at least one rule is configured for TCP 53. Double-click on each rule to verify the following: On the "Authentication" tab, "Authentication mode:" is set to "Request authentication for inbound and outbound connections". The "Signing Algorithm" is set to "RSA (default)". On the "Remote Computers" tab, "Endpoint1" and "Endpoint2" are configured with the IP addresses of all DNS servers. On the "Protocols and Ports" tab, "Protocol type:" is set to either TCP (depending on which rule is being reviewed) and the "Endpoint 1 port:" is set to "Specific ports" and "53". If no rules are configured with the specified requirements, this is a finding.
Fix Text
Complete the following procedures twice for each pair of name servers. Create a rule for TCP connections. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "gpme.msc" to open the Group Policy Management feature. In the "Browse for Group Policy Object" dialog box, double-click "Domain Controllers.domain.com". Click "Default Domain Controllers Policy" and click "OK". In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. Right-click "Connection Security Rules" and select "New". For "Rule Type", select the "Server-to-server" radio button and click "Next". For Endpoint 1 and Endpoint 2, select "These IP addresses:" and add the IP addresses of all DNS servers. Click "Next". For "Requirements", select "Request authentication for inbound and outbound connections" and click "Next". For "Authentication Method", select Computer certificate and from the "Signing Algorithm:" drop-down, select "RSA (default)". From the "Certificate store type:" drop-down, select "Root CA (default)". From the "CA name:", click "Browse", select the certificate for the CA, and click "Next". On "Profile", accept default selections and click "Next". On "Name", enter a name applicable to the rule's function. Click "Finish".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3448E41FECCC571EA1126422ABF9142217A1FEE5 ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated. Comments |
|||||
Check Text
For zones that are completely AD-integrated, this check is not a finding. For authenticity of zone transfers between non-AD-integrated zones, DNSSEC must be implemented. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 12/21/2022 10:215:28 AM Signed: 11/22/2022 10:15:28 AM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, indicating the zone has been signed with DNSSEC, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the account designated as Administrator or DNS Administrator. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If the DNS server hosts only AD-integrated zones and there are no non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable. For a non-AD-integrated DNS server: Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, click to select and then right-click the zone name. From the displayed context menu, click the "Properties" option. On the opened zone's properties box, go to the "Zone Transfers" tab. On the displayed interface, determine if the "Allow zone transfers" check box is selected. If the "Allow zone transfers" check box is not selected, this is not a finding. If the "Allow zone transfers" check box is selected, determine if either the "Only to servers listed on the Name Servers tab" radio button is selected or the "Only to the following servers" radio button is selected. If the "To any server" radio button is selected, this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. From the displayed context menu, click the "Properties" option. On the opened zone's properties box, go to the "Zone Transfers" tab. On the displayed interface, select the "Allow zone transfers" check box. Select the "Only to servers listed on the Name Servers tab" radio button OR select the "Only to the following servers" radio button. Click "Apply". Click "OK".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the account designated as Administrator or DNS Administrator. In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either saved parameters or custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 29E483B2F45F4551F92EA09FA9363AA22AB35A11 ~~~~~ DNS Service Account: LocalSystem 'C:\ProgramData\Microsoft\Crypto' and all subfolders and files are owned by the DNS service account. Comments |
|||||
Check Text
Access Services on the Windows DNS Server and locate the DNS Server Service. Determine the account under which the DNS Server Service is running. Access Windows Explorer. Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto Note: If the folder above does not exist, this check is not applicable. Right-click on each subfolder, choose "Properties", click the "Security" tab, and click the "Advanced" button. Verify the Owner on the folder, subfolders, and files is the account under which the DNS Server Service is running. If any other user or group is listed as OWNER of the %ALLUSERSPROFILE%\Microsoft\Crypto folder, subfolders, and files, this is a finding.
Fix Text
Access Windows Explorer. Navigate to the following location: %ALLUSERSPROFILE%\Microsoft\Crypto Right-click on each subfolder, choose "Properties", click the "Security" tab, and click the "Advanced" button. Click "Change" next to the listed Owner and change to be the account under which the DNS Server Service is running.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: A14A79735BD283F3F019111E748C74455976803D ~~~~~ All zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory (AD)-integrated zones or for Windows DNS Servers on a classified network. Note: This requirement is not applicable to servers with only a caching role. For AD-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through AD replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the AD database file, the signed copy of the zone remains in memory for AD-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server. If all DNS servers are AD integrated, this check is not applicable. If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates, and has a copy of the private key corresponding to the ZSK, this is a finding.
Fix Text
Ensure the private key corresponding to the ZSK is only stored on the name server accepting dynamic updates.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Consult with the system administrator to determine if a third-party CRL server is being used for certificate revocation lookup. If there is, determine if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site. If there is no local cache of revocation data, this is a finding.
Fix Text
Configure local revocation data to be used in the event access to Certificate Authorities is hindered.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. In Windows, the NSEC3 salt values are automatically changed when the zone is re-signed. To validate: Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS Server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the zone's RRs in the right windowpane. Determine the RRSIG NSEC3PARAM's Inception (in the Data column). Compare the Inception to the RRSIG DNSKEY Inception. The date and time should be the same. If the NSEC3PARAM's Inception date and time is different than the DNSKEY Inception date and time, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters. Revalidate the NSEC3PARAM Inception date and time against the DNSKEY date and time.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Authenticity of query responses is provided with DNSSEC signing of zones. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by Windows DNS Server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the account designated as Administrator or DNS Administrator. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CE977177F1D3B4FF681DCD4E2854AB3485505899 ~~~~~ InterfaceAlias: Ethernet InterfaceIndex: 4 InterfaceDescription: Microsoft Hyper-V Network Adapter IPv4Address: 164.231.187.34 SubnetMask: 255.255.255.240 DefaultGateway: 164.231.187.33 SuffixOrigin: Manual Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Use "ipconfig /all" to identify all network adapters. or Locate the "Network Internet Access" icon, right-click on it, and select "Open Network & Sharing Center". Click "Change adapter settings". Right-click on the Ethernet and click "Properties". Select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties". Verify the "Use the following IP address" is selected, with an IP address, subnet mask, and default gateway assigned. If the "Use the following IP address" is not selected with a configured IP address, subnet mask, and default gateway, this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Use "ipconfig /all" to identify all network adapters. or Locate the "Network Internet Access" icon, right-click on it, and select "Open Network & Sharing Center". Click "Change adapter settings". Right-click on the Ethernet and click "Properties". Select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties". Select "Use the following IP address" and populate with an IP address, subnet mask, and default gateway.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. By default, when DNS servers are configured with DNSSEC signed zones, they will automatically respond to query requests, providing validating data in the response, whenever the query requests that validation. Because this takes place inherently when the zone is signed with DNSSEC, the requirement is satisfied by ensuring zones are signed. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed: 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 456DE4F1E38903593FFCA404B18AA422FEA62258 ~~~~~ All Forward Lookup Zones have 'Use WINS forward lookup' disabled. Comments |
|||||
Check Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click each zone and then click "Properties". In the "Properties" dialog box for the zone, click the "WINS" tab. Verify the "Use WINS forward lookup" check box is not selected. If the "Use WINS forward lookup" check box is selected, this is a finding.
Fix Text
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click each zone and then click "Properties". In the "Properties" dialog box for the zone, click the "WINS" tab. Uncheck the "Use WINS forward" lookup check box. Click "OK".