800-53|SC-20

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

Description

The information system:

Supplemental

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-10,SC-12,SC-13,SC-21,SC-22,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
3.1 Ensure DNS services are configured correctly - name-server	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
5.4 CIFS - 'dns.domainname has been configured'	NetApp	TNS NetApp Data ONTAP 7G
5.4 CIFS - 'dns.enable = on'	NetApp	TNS NetApp Data ONTAP 7G
5.4 CIFS - 'dns.update.enable = on or secure'	NetApp	TNS NetApp Data ONTAP 7G
6.1 Ensure Root Domain Alias Record Points to ELB	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
Adtran : Ensure a trusted, primary DNS server is set	Adtran	TNS Adtran AOS Best Practice Audit
Adtran : Ensure a trusted, secondary DNS server is set	Adtran	TNS Adtran AOS Best Practice Audit
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.	Unix	DISA BIND 9.x STIG v2r3
DNS Profile - Address - DNS Server 1	Cisco_ACI	Tenable Cisco ACI
DNS Profile - Address - DNS Server 2	Cisco_ACI	Tenable Cisco ACI
DNS: A trusted primary DNS server is configured	Alcatel	TNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit
DNS: A trusted secondary DNS server is configured	Alcatel	TNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit
Ensure DNS services are configured correctly - name-server	Cisco	Tenable Cisco Firepower Best Practices Audit
Ensure DNS services are configured correctly - name-server	Cisco_Firepower	Tenable Cisco Firepower Threat Defense Best Practices Audit
FireEye - The appliance uses a trusted DNS server	FireEye	TNS FireEye
Fortigate - DNS - primary server	FortiGate	TNS Fortigate FortiOS Best Practices v2.0.0
Fortigate - DNS - secondary server	FortiGate	TNS Fortigate FortiOS Best Practices v2.0.0
SonicWALL - Review the DNS Server Settings	SonicWALL	TNS SonicWALL v5.9
WatchGuard : DNS Servers	WatchGuard	TNS Best Practice WatchGuard Audit 1.0.0

Detections

Analytics