V-259353
CAT IIIn a split DNS configuration between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
- Ships Affected
- 1
- Total Findings
- 1
- Open
- 0
- Closed
- 0
Check Text
Consult with the system administrator to review the external Windows DNS Server's DOD approved firewall policy.
The inbound TCP and UDP ports 53 rule should be configured to only restrict IP addresses from the internal network.
If the DOD-approved firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall.
If neither the DNS server's DOD approved firewall policy nor the network firewall is configured to block internal hosts from querying the external DNS server, this is a finding.
Fix Text
Configure the external DNS server's firewall policy, or the network firewall, to block queries from internal hosts.
STIG Reference
- STIG
- Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
- Version
- 2
- Release
- 4
- Rule ID
- SV-259353r961863_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl | Unassigned | 2026-01-14T12:57:38.179760 | View in Context |