Vulnerability V-259354

Determine if the authoritative primary name server is Active Directory (AD) integrated. Determine if all secondary name servers for every zone for which the primary name server is authoritative are AD-integrated in the same Active Directory. If the authoritative primary name server is AD integrated and all secondary name servers are part of the same AD, this check is not a finding because AD handles the replication of DNS data. If one or more of the secondary name servers are non-AD integrated, verify the primary name server is configured to only send zone transfers to a specific list of secondary name servers. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select "Properties". Select the "Zone Transfers" tab. If the "Allow zone transfers:" check box is not selected, this is not a finding. If the "Allow zone transfers:" check box is selected, verify either "Only to servers listed on the Name Server tab" or "Only to the following servers" is selected. If the "To any server" option is selected, this is a finding.

Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Right-click the zone and select "Properties". Select the "Zone Transfers" tab. Select the "Only to servers listed on the Name Server tab" or "Only to the following servers" check box or deselect the "Allow zone transfers" check box. Click "OK".