800-53|SC-20

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

Description

The information system:

Supplemental

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-10,SC-12,SC-13,SC-21,SC-22,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Ensure DNS server is configured	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
1.5.7 Ensure DNS is servers are configured - nameserver 1	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
1.5.7 Ensure DNS is servers are configured - nameserver 2	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
2.1.5 Ensure hostname is set	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
2.1.6 Ensure DNS server is configured - primary	CheckPoint	CIS Check Point Firewall L1 v1.1.0
2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'	microsoft_azure	CIS Microsoft Azure Foundations v2.1.0 L2
2.20 Ensure 'Use built-in DNS client' is set to 'Disabled'	Windows	CIS Google Chrome L2 v2.0.0
3.1 Ensure DNS services are configured correctly - name-server	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
3.1 Ensure DNS services are configured correctly - name-server	Cisco	CIS Cisco Firewall ASA 8 L1 v4.1.0
3.2 Restrict Recursive Queries - Authoritative Name Server	Unix	CIS BIND DNS v3.0.0 Authoritative Name Server
3.2 Restrict Recursive Queries - Authoritative Name Server	Unix	CIS BIND DNS v3.0.1 Authoritative Name Server
3.3 Restrict Query Origins	Unix	CIS BIND DNS v3.0.0 Caching Only Name Server
3.3 Restrict Query Origins	Unix	CIS BIND DNS v3.0.0 Authoritative Name Server
3.4 Restrict Queries of the Cache - Authoritative Only	Unix	CIS BIND DNS v3.0.1 Authoritative Name Server
3.4 Restrict Queries of the Cache - Authoritative Only	Unix	CIS BIND DNS v3.0.0 Authoritative Name Server
4.3 Use Unique Keys for Each Pair of Hosts - unique secret	Unix	CIS BIND DNS v3.0.0 Authoritative Name Server
4.3 Use Unique Keys for Each Pair of Hosts - unique secret	Unix	CIS BIND DNS v3.0.0 Caching Only Name Server
4.600 - For systems using DNS resolution, at least two name servers must be configured - nameserver 1	Unix	Tenable Fedora Linux Best Practices v2.0.0
4.600 - For systems using DNS resolution, at least two name servers must be configured - nameserver 2	Unix	Tenable Fedora Linux Best Practices v2.0.0
5.1 Securely Authenticate Zone Transfers	Unix	CIS BIND DNS v3.0.0 Authoritative Name Server
5.1 Securely Authenticate Zone Transfers	Unix	CIS BIND DNS v3.0.0 Caching Only Name Server
5.2 Securely Authenticate Dynamic Updates - allow-update none or localhost	Unix	CIS BIND DNS v3.0.0 Authoritative Name Server
5.2 Securely Authenticate Dynamic Updates - update-policy grant or local	Unix	CIS BIND DNS v3.0.0 Authoritative Name Server
5.3 Securely Authenticate Update Forwarding	Unix	CIS BIND DNS v3.0.0 Authoritative Name Server
5.4 CIFS - 'dns.domainname has been configured'	NetApp	TNS NetApp Data ONTAP 7G
5.4 CIFS - 'dns.enable = on'	NetApp	TNS NetApp Data ONTAP 7G
5.4 CIFS - 'dns.update.enable = on or secure'	NetApp	TNS NetApp Data ONTAP 7G
5.7.4 The default namespace should not be used - BuildConfigs	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Builds	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - CronJobs	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - DaemonSets	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - DeploymentConfigs	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Deployments	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - HorizontalPodAutoScalers	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - ImageStreams	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Jobs	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Pods	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - ReplicaSets	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - ReplicationControllers	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Routes	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Services	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - StatefulSets	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
6 - Verify Security of Forwarding Partners	Unix	BIND - TNS BIND Best Practices Audit v1.0.0
6.1 Ensure Root Domain Alias Record Points to ELB	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
6.2 Ensure a DNS alias record for the root domain	amazon_aws	CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
15 - Restrict Recursive Queries	Unix	BIND - TNS BIND Best Practices Audit v1.0.0
16 - Restrict Query Origins	Unix	BIND - TNS BIND Best Practices Audit v1.0.0
17 - Restrict Access to Cache	Unix	BIND - TNS BIND Best Practices Audit v1.0.0
20 - Include TSIG key in named.conf	Unix	BIND - TNS BIND Best Practices Audit v1.0.0
21 - Restrict Zone-Transfers	Unix	BIND - TNS BIND Best Practices Audit v1.0.0

Detections

Analytics