Rule ID
SV-215596r961863_rule
Version
V2R7
CCIs
DNS is only responsible for resolving a domain name to an IP address. Applications and operating systems are responsible for processing the IPv6 or IPv4 record that may be returned. With this in mind, a denial of service could easily be implemented for an application that is not IPv6-aware. When the application receives an IP address in hexadecimal, it is up to the application/operating system to decide how to handle the response. Combining both IPv6 and IPv4 records into the same domain can lead to application problems that are beyond the scope of the DNS administrator.
Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press Windows Key + R, execute dnsmgmt.msc. On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. From the expanded list, select each zone and examine the host record entries. The third column titled “Data” will display the IP. Verify if any contain both IPv4 and IPv6 addresses. If any hostnames contain both IPv4 and IPv6 addresses, confirm with the SA that the actual hosts are IPv6-aware. If any zone contains hosts with both IPv4 and IPv6 addresses but are determined to be non-IPv6-aware, this is a finding.
Remove any IPv6 records for hosts which are not IPv6-aware.