[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

Primary DNS Suffix Devolution Level

ID: oval:org.secpod.oval:def:19099Date: (C)2014-05-29   (M)2023-07-04
Class: COMPLIANCEFamily: windows




The Primary DNS Suffix Devolution Level machine setting should be configured correctly. This policy setting determines the Domain Name System (DNS) suffix devolution level that DNS clients will use, if the clients perform primary DNS suffix devolution in a name resolution process. When DNS suffix devolution is enabled, the leftmost label of a primary DNS suffix is dropped on each successive query attempt, when a query fails for a name to which a primary DNS suffix has been attached. The devolution level indicates the minimum number of labels that must be added to the query string after the primary DNS suffix is devolved. When a user submits a query for a single-label name, such as "example," a local DNS client attaches a suffix, such as "microsoft.com to the query, before sending the query to a DNS server. In this case, this results in the query "example.microsoft.com.? If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries is resolved, the client devolves the primary DNS suffix of the computer, attaches the devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. If you enable this policy setting, DNS clients on the computers to which this setting is applied attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. The DNS clients will devolve the primary DNS suffix on each query attempt until the name is successfully resolved, the devolution level specified in this setting has been reached, or the primary DNS suffix name has two labels. If you disable or do not configure this policy setting, DNS clients on the computers to which this setting is applied do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. If a Forest Root Domain (FRD) is present, no search list is configured, and the query is for a single-label name, then the DNS client will devolve up to the FRD until the name is successfully resolved. Fix: (1) GPO: Computer Configuration\Administrative Templates\Network\DNS Client\Primary DNS Suffix Devolution Level (2) KEY: HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableDevolutionLevelControl

Platform:
Microsoft Windows Server 2008 R2
Reference:
CCE-11157-5
CPE    1
cpe:/o:microsoft:windows_server_2008:r2
CCE    1
CCE-11157-5
XCCDF    1
xccdf_org.secpod_benchmark_general_Windows_Server_2008_R2

© SecPod Technologies