V-259357
CAT IIThe Windows DNS Server authoritative for local zones must only point root hints to the DNS servers that host the internal root domain.
- Ships Affected
- 1
- Total Findings
- 1
- Open
- 1
- Closed
- 0
Check Text
Note: If the Windows DNS Server is in the classified network, this check is not applicable.
Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account.
Press the Windows key + R and execute "dnsmgmt.msc".
Right-click the DNS server and select "Properties".
Select the "Root Hints" tab.
Verify "Root Hints" is empty or only has entries for internal zones under "Name servers:". All internet root server entries must be removed.
If "Root Hints" is not empty or entries on the "Root Hints" tab under "Name servers:" are external to the local network, this is a finding.
Fix Text
Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account.
Press the Windows key + R and execute "dnsmgmt.msc".
Right-click the DNS server and select "Properties".
Select the "Root Hints" tab.
Remove the root hints from the DNS Manager, the CACHE.DNS file, and from Active Directory for name servers outside the internal network.
Replace the existing root hints with new root hints of internal servers.
If the DNS server is forwarding, click to select the "Do not use recursion for this domain"" check box on the "Forwarders" tab in DNS Manager to ensure the root hints will not be used.
STIG Reference
- STIG
- Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
- Version
- 2
- Release
- 4
- Rule ID
- SV-259357r961863_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl | Unassigned | 2026-01-14T12:57:38.179760 | View in Context |