[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-36355-6

Platform: cpe:/o:microsoft:windows_server_2012::r2Date: (C)2015-10-08   (M)2023-07-04



Primary DNS Suffix Devolution Level This policy setting determines the Domain Name System (DNS) suffix devolution level that DNS clients will use, if the clients perform primary DNS suffix devolution in a name resolution process. When DNS suffix devolution is enabled, the leftmost label of a primary DNS suffix is dropped on each successive query attempt, when a query fails for a name to which a primary DNS suffix has been attached. The devolution level indicates the minimum number of labels that must be added to the query string after the primary DNS suffix is devolved. When a user submits a query for a single-label name, such as 'example,' a local DNS client attaches a suffix, such as 'microsoft.com? to the query, before sending the query to a DNS server. In this case, this results in the query 'example.microsoft.com.? If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries is resolved, the client devolves the primary DNS suffix of the computer, attaches the devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. For example, if the primary DNS suffix aaa.bbb.ccc.ddd.microsoft.com is attached to the single-label name 'example? (which has no dot at the end), and if DNS suffix devolution is enabled and the level is set to 3, the following queries would be run: Example.aaa.bbb.ccc.ddd.microsoft.com (If this query fails, for the next query the primary DNS suffix will devolve to bbb.ccc.ddd.microsoft.com.) Example.bbb.ccc.ddd.microsoft.com (If this query fails, for the next query the primary DNS suffix will devolve to ccc.ddd.microsoft.com.) Example.ccc.ddd.microsoft.com (If this query fails, for the next query the primary DNS suffix will devolve to ddd.microsoft.com.) Example.ddd.microsoft.com (If this query fails, no further queries can be made because the devolution level is set to 3 and the primary DNS suffix contains 3 labels.) If you enable this policy setting, DNS clients on the computers to which this setting is applied attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. The DNS clients will devolve the primary DNS suffix on each query attempt until the name is successfully resolved, the devolution level specified in this setting has been reached, or the primary DNS suffix name has two labels. If you disable or do not configure this policy setting, DNS clients on the computers to which this setting is applied do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. If a Forest Root Domain (FRD) is present, no search list is configured, and the query is for a single-label name, then the DNS client will devolve up to the FRD until the name is successfully resolved.


Parameter:

[enable/disable]


Technical Mechanism:

(1) GPO: Computer ConfigurationAdministrative TemplatesNetworkDNS Client!Primary DNS Suffix Devolution Level (2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTDNSClient!EnableDevolutionLevelControl

CCSS Severity:CCSS Metrics:
CCSS Score : 7.5Attack Vector: NETWORK
Exploit Score: 1.6Attack Complexity: HIGH
Impact Score: 5.9Privileges Required: LOW
Severity: HIGHUser Interaction: NONE
Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HScope: UNCHANGED
 Confidentiality: HIGH
 Integrity: HIGH
 Availability: HIGH
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:27442


OVAL    1
oval:org.secpod.oval:def:27442
XCCDF    1
xccdf_org.secpod_benchmark_general_Windows_2012_R2

© SecPod Technologies