800-53|SC-20a.

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

Description

Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
3.2.1 Restrict Recursive Queries	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.2.2 Restrict Query Origins 'allow-query'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.2.3 Restrict Access to Cache 'allow-query-cache'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.2.3 Restrict Access to Cache 'allow-recursion'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.3.2 Include TSIG key in named.conf 'TSIG key 1'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.3.2 Include TSIG key in named.conf 'TSIG key 2'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.4 Restrict Zone-Transfers 'Zone Transfer Server 1'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.4 Restrict Zone-Transfers 'Zone Transfer Server 2'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.5.1 Using Update Policy 'grant'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.5.1 Using Update Policy 'keys'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.5.1 Using Update Policy 'zone'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'algorithm'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'key'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'tkey-domain'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'tkey-gssapi-credential'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.6 Implement DNSSEC 'dnssec-enable'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.6 Implement DNSSEC 'dnssec-validation'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
3.6 Implement DNSSEC 'INCLUDE'	Unix	CIS ISC BIND 9.0/9.5 v2.0.0
4.3 Use Unique Keys for Each Pair of Hosts - unique secret	Unix	CIS BIND DNS v3.0.1 Caching Only Name Server
4.3 Use Unique Keys for Each Pair of Hosts - unique secret	Unix	CIS BIND DNS v3.0.1 Authoritative Name Server
7.2 Enable DNSSEC Validation - dnssec-enable	Unix	CIS BIND DNS v3.0.1 Caching Only Name Server
7.2 Enable DNSSEC Validation - dnssec-validation	Unix	CIS BIND DNS v3.0.1 Caching Only Name Server
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.	Unix	DISA BIND 9.x STIG v2r3
EX13-EG-000080 - Exchange Internet-facing Send connectors must specify a Smart Host.	Windows	DISA Microsoft Exchange 2013 Edge Transport Server STIG v1r6
EX13-MB-000105 - Exchange Internet-facing Send connectors must specify a Smart Host.	Windows	DISA Microsoft Exchange 2013 Mailbox Server STIG v2r3
EX16-ED-000160 - Exchange Internet-facing Send connectors must specify a Smart Host.	Windows	DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r5
EX16-MB-000210 - Exchange Internet-facing Send connectors must specify a Smart Host.	Windows	DISA Microsoft Exchange 2016 Mailbox Server STIG v2r6
EX19-ED-000095 Exchange internet-facing send connectors must specify a Smart Host.	Windows	DISA Microsoft Exchange 2019 Edge Server STIG v2r1
EX19-MB-000106 Exchange internet-facing send connectors must specify a smart host.	Windows	DISA Microsoft Exchange 2019 Mailbox Server STIG v2r1
WDNS-SC-000002 - The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r7
WDNS-SC-000006 - WINS lookups must be disabled on the Windows 2012 DNS Server.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r7
WDNS-SC-000007 - The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.	Windows	DISA Microsoft Windows 2012 Server DNS STIG v2r7

Detections

Analytics

800-53|SC-20a.

Title

Description

Reference Item Details

Audit Items