National Vulnerability Database

National Vulnerability Database

National Vulnerability

DNS Policy STIG Ver 4, Rel 1.22 Checklist Details (Checklist Revisions)

Supporting Resources:


Target CPE Name
Microsoft Windows Server 2003 cpe:/o:microsoft:windows_2003_server (View CVEs)
ISC Bind 9.3.1 cpe:/a:isc:bind:9.3.1 (View CVEs)
ISC Bind 9.3.2 cpe:/a:isc:bind:9.3.2 (View CVEs)
Microsoft Windows Server 2000 cpe:/o:microsoft:windows_2000:-:-:server (View CVEs)
Microsoft Windows XP cpe:/o:microsoft:windows_xp (View CVEs)
Microsoft Windows 2000 cpe:/o:microsoft:windows_2000 (View CVEs)
Cisco Content Services Switch 11000 cpe:/h:cisco:content_services_switch_11000:- (View CVEs)

Checklist Highlights

Checklist Name:
Checklist ID:
Ver 4, Rel 1.22
Review Status:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:

Checklist Summary:

This document contains procedures that enable qualified personnel to conduct a Domain Name System (DNS) Security Readiness Review (SRR). The DNS SRR assesses an organization's compliance with the Defense Information Systems Agency (DISA) DNS Security Technical Implementation Guidance (STIG). DISA Field Security Operations (FSO) conducts SRRs to provide DISA, Joint Commands, and other Department of Defense (DOD) organizations with a level of confidence that their DNS is secure and can adequately support their mission. This document provides step by step instructions to verify Domain Name Systems are securely configured. This checklist is arranged by asset posture. The first section is dedicated to the Non-Computing Asset posture of DNS Policy. These checks/requirements need only be performed once for the site as they apply to all DNS servers and the DNS architecture, regardless of platform or function. The finding status should be updated if a change takes place on the system, during a yearly accreditation visit if vulnerabilities are identified, or during a self assessment. The remaining sections focus on the computing asset posture of the type of DNS software running on the platform: All DNS servers, BIND, Windows DNS, or CISCO CSS. - Section 2: Non-Computing DNS Policy - Section 3: All DNS servers - Section 4: BIND servers, both UNIX and Windows operating system platforms - Section 5: Windows DNS Server - Section 6: CISCO CSS DNS

Checklist Role:

  • Domain Name Server

Known Issues:

The reviewer must examine the IAVM notices carefully when there are potential issues. In future releases of the checklist, additional guidance will be provided on how to check for these scenarios.

Target Audience:

Developed for the DOD. This checklist has been created for IT professionals, particularly network system administrators and information security personnel. The document assumes that the reader has experience installing and administering DNS Servers.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DOD Directive 8500.


Please refer to the Checklist or the README.txt files provided with the scripts for any comments, warnings, or detailed instructions.


Not provided.

Product Support:

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Point of Contact:


Not provided.


Not provided.

Change History:

Updated status from "Under Review" to "Final" - 21 July 2015
Version 4, Release 1.17 - 01 June 2015
Version 4, Release 1.13 - 2013-01-25
Version 4, Release 1.12 - 2011-04-29
Version 4, Release 1.11 - 2011-01-28
Version 4, Release 1.7  - 2009-08-15
Version 4, Release 1.5  - 2008-12-15
Version 4, Release 1.1  - 2007-10-17
Version 3, Release 1.1  - 2007-03-15
Version 3, Release 1    - 2006-12-08
Version 2, Release 2    - 2006-06-16
Version 2, Release 1.3  - 2005-08-08
Version 2, Release 1.2  - 2004-07-15
Version 2, Release 1.1  - 2004-05-12
Version 1, Release 3.1  - date unknown
Version 1, Release 2.2  - date unknown
Version 1, Release 1    - date unknown
Added point of contact
updated to - v4, r1.19 - 07/22/2016
Updated to FINAL - 09/12/2016
Updated URL to reflect change to the DISA website - http --> https
Updated - 11/01/2017
Updated to FINAL - 11/27/2017
corrected resource title - 1/24/2018
moved to archive status - 4/15/19
moved to archive status - 4/15/19
Updated URLs - 6/24/19
updated URLs - 9/11/19


URL Description


Reference URL Description

NIST checklist record last modified on 09/11/2019