800-53|SC-20

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

Description

The information system:

Supplemental

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-10,SC-12,SC-13,SC-21,SC-22,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Ensure DNS server is configured	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
1.5.7 Ensure DNS is servers are configured - nameserver 1	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.5.7 Ensure DNS is servers are configured - nameserver 2	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
2.1.5 Ensure hostname is set	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
2.1.6 Ensure DNS server is configured - primary	CheckPoint	CIS Check Point Firewall L1 v1.1.0
3.1 Ensure DNS services are configured correctly - name-server	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
3.1.16 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L2
3.2 Restrict Recursive Queries - Authoritative Name Server	Unix	CIS BIND DNS v3.0.1 Authoritative Name Server
3.4 Restrict Queries of the Cache - Authoritative Only	Unix	CIS BIND DNS v3.0.1 Authoritative Name Server
5.4 CIFS - 'dns.domainname has been configured'	NetApp	TNS NetApp Data ONTAP 7G
5.4 CIFS - 'dns.enable = on'	NetApp	TNS NetApp Data ONTAP 7G
5.4 CIFS - 'dns.update.enable = on or secure'	NetApp	TNS NetApp Data ONTAP 7G
5.7.4 The default namespace should not be used	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L2
6.1 Ensure Root Domain Alias Record Points to ELB	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
6.2 Ensure a DNS alias record for the root domain	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
7.4 Ensure Either SPF or DKIM DNS Records are Configured	Unix	CIS BIND DNS v1.0.0 L2 Authoritative Name Server
8.3 Ensure Any Signing Keys using RSA Have a Length of 2048 or Greater	Unix	CIS BIND DNS v1.0.0 L2 Authoritative Name Server
Adtran : Ensure a trusted, primary DNS server is set	Adtran	TNS Adtran AOS Best Practice Audit
Adtran : Ensure a trusted, secondary DNS server is set	Adtran	TNS Adtran AOS Best Practice Audit
DNS Profile - Address - DNS Server 1	Cisco_ACI	Tenable Cisco ACI
DNS Profile - Address - DNS Server 2	Cisco_ACI	Tenable Cisco ACI
DNS: A trusted primary DNS server is configured	Alcatel	TNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit
DNS: A trusted secondary DNS server is configured	Alcatel	TNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit
Ensure DNS services are configured correctly - name-server	Cisco	Tenable Cisco Firepower Best Practices Audit
Ensure DNS services are configured correctly - name-server	Cisco_Firepower	Tenable Cisco Firepower Threat Defense Best Practices Audit
FireEye - The appliance uses a trusted DNS server	FireEye	TNS FireEye
Fortigate - DNS - primary server	FortiGate	TNS Fortigate FortiOS Best Practices v2.0.0
Fortigate - DNS - secondary server	FortiGate	TNS Fortigate FortiOS Best Practices v2.0.0
MS.AAD.3.1v1 - Phishing-resistant MFA SHALL be enforced for all users.	microsoft_azure	CISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.3.5v1 - The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.	microsoft_azure	CISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.3.6v1 - Phishing-resistant MFA SHALL be required for highly privileged roles.	microsoft_azure	CISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.DEFENDER.1.1v1 - The standard and strict preset security policies SHALL be enabled.	microsoft_azure	CISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.1.2v1 - All users SHALL be added to Exchange Online Protection (EOP) in either the standard or strict preset security policy.	microsoft_azure	CISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.1.3v1 - All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.	microsoft_azure	CISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.1.4v1 - Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.	microsoft_azure	CISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.1.5v1 - Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.	microsoft_azure	CISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.2.1v1 - User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies.	microsoft_azure	CISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.2.2v1 - Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.	microsoft_azure	CISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.2.3v1 - Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.	microsoft_azure	CISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.3.1v1 - Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.	microsoft_azure	CISA SCuBA Microsoft 365 Defender v1.5.0
MS.EXO.1.1v1 - Automatic forwarding to external domains SHALL be disabled.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.10.1v1 - Emails SHALL be scanned for malware.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.10.2v1 - Emails identified as containing malware SHALL be quarantined or dropped.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.10.3v1 - Email scanning SHALL be capable of reviewing emails after delivery.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.11.1v1 - Impersonation protection checks SHOULD be used.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.11.2v1 - User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.11.3v1 - The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.14.1v2 - A spam filter SHALL be enabled.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.14.2v1 - Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.14.3v1 - Allowed domains SHALL NOT be added to inbound anti-spam protection policies.	microsoft_azure	CISA SCuBA Microsoft 365 Exchange Online v1.5.0

Detections

Analytics