Detections
Analytics

800-53|SC-20a.

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

Description

Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.2.1 Restrict Recursive QueriesUnixCIS ISC BIND 9.0/9.5 v2.0.0
3.3.2 Include TSIG key in named.conf 'TSIG key 1'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.3.2 Include TSIG key in named.conf 'TSIG key 2'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.4 Restrict Zone-Transfers 'Zone Transfer Server 1'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.4 Restrict Zone-Transfers 'Zone Transfer Server 2'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.1 Using Update Policy 'grant'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.1 Using Update Policy 'keys'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.1 Using Update Policy 'zone'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'algorithm'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'key'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'tkey-domain'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'tkey-gssapi-credential'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.6 Implement DNSSEC 'INCLUDE'UnixCIS ISC BIND 9.0/9.5 v2.0.0
4.3 Use Unique Keys for Each Pair of Hosts - unique secretUnixCIS BIND DNS v3.0.1 Authoritative Name Server
4.3 Use Unique Keys for Each Pair of Hosts - unique secretUnixCIS BIND DNS v3.0.1 Caching Only Name Server
7.2 Enable DNSSEC Validation - dnssec-enableUnixCIS BIND DNS v3.0.1 Caching Only Name Server
7.2 Enable DNSSEC Validation - dnssec-validationUnixCIS BIND DNS v3.0.1 Caching Only Name Server
BIND-9X-001650 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and must perform integrity verification and data origin verification for all DNS information.UnixDISA BIND 9.x STIG v3r1
EX13-EG-000080 - Exchange Internet-facing Send connectors must specify a Smart Host.WindowsDISA Microsoft Exchange 2013 Edge Transport Server STIG v1r6
EX13-MB-000105 - Exchange Internet-facing Send connectors must specify a Smart Host.WindowsDISA Microsoft Exchange 2013 Mailbox Server STIG v2r3
EX16-ED-000160 - Exchange Internet-facing Send connectors must specify a Smart Host.WindowsDISA Microsoft Exchange 2016 Edge Transport Server STIG v2r6
EX16-MB-000210 - Exchange Internet-facing Send connectors must specify a Smart Host.WindowsDISA Microsoft Exchange 2016 Mailbox Server STIG v2r6
EX19-ED-000095 - Exchange internet-facing send connectors must specify a Smart Host.WindowsDISA Microsoft Exchange 2019 Edge Server STIG v2r2
EX19-MB-000106 - Exchange internet-facing send connectors must specify a smart host.WindowsDISA Microsoft Exchange 2019 Mailbox Server STIG v2r3
F5BI-DN-300013 - An authoritative name server must be configured to enable DNSSEC Resource Records.F5DISA F5 BIG-IP TMOS DNS STIG v1r1
F5BI-DN-300028 - A BIG-IP DNS server implementation must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.F5DISA F5 BIG-IP TMOS DNS STIG v1r1
WDNS-SC-000002 - The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.WindowsDISA Microsoft Windows 2012 Server Domain Name System STIG v2r7
WDNS-SC-000006 - WINS lookups must be disabled on the Windows 2012 DNS Server.WindowsDISA Microsoft Windows 2012 Server Domain Name System STIG v2r7
WDNS-SC-000007 - The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.WindowsDISA Microsoft Windows 2012 Server Domain Name System STIG v2r7