V-259403
CAT IIThe DNS Name Server software must be configured to refuse queries for its version information.
- Ships Affected
- 1
- Total Findings
- 1
- Open
- 0
- Closed
- 1
Check Text
The "EnableVersionQuery" property controls what version information the DNS server will respond with when a DNS query with class set to "CHAOS" and type set to "TXT" is received.
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account.
Open a command window and execute the command:
nslookup <enter>
Note: Confirm the Default Server is the DNS server on which the command is being run.
At the nslookup prompt, type:
set type=TXT <enter>
set class=CHAOS <enter>
version.bind <enter>
If the response returns something similar to text = "Microsoft DNS 6.1.7601 (1DB14556)", this is a finding.
Fix Text
To disable the version being returned in queries, execute the following command:
dnscmd /config /EnableVersionQuery 0 <enter>
STIG Reference
- STIG
- Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide
- Version
- 2
- Release
- 4
- Rule ID
- SV-259403r1001264_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServerDNS_V2R3_20251023-172313.ckl | Unassigned | 2026-01-14T12:57:38.179760 | View in Context |