V-259348

Discussion

Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on different network segments. This dispersion ensures the availability of an authoritative name server not only in situations in which a particular router or switch fails but also during events involving an attack on an entire network segment. A network administrator may choose to use a "hidden" primary authoritative server and have only secondary servers visible on the network. A hidden primary authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. If the primary authoritative name server is hidden, a secondary authoritative name server may reside on the same network as the hidden primary.

Check Content

Windows DNS Servers that are Active Directory (AD) integrated must be located where required to meet the Active Directory services.

If all of the Windows DNS Servers are AD integrated, this check is not applicable.

If any or all the Windows DNS Servers are standalone and non-AD integrated, verify their geographic location with the system administrator.

If all of the authoritative name servers are located on the same network segment and the primary authoritative name server is not "hidden", this is a finding.