800-53|SC-21

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

Description

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Supplemental

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-20,SC-22

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Ensure DNS server is configured	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
1.1.1.2.1.22 'MSS(NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' to 'Enabled'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.2.1.22 'MSS(NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' to 'Enabled'	Windows	CIS Windows 2003 DC v3.1.0
1.9.64 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	CIS Windows 2008 SSLF v1.2.0
1.9.64 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	CIS Windows 2008 Enterprise v1.2.0
2.1.6 Ensure DNS server is configured - secondary	CheckPoint	CIS Check Point Firewall L1 v1.1.0
2.1.6 Ensure DNS server is configured - tertiary	CheckPoint	CIS Check Point Firewall L1 v1.1.0
2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'	microsoft_azure	CIS Microsoft Azure Foundations v2.1.0 L2
3.2 Restrict Recursive Queries - Caching Name Server	Unix	CIS BIND DNS v3.0.0 Caching Only Name Server
3.2 Restrict Recursive Queries - Caching Name Server	Unix	CIS BIND DNS v3.0.1 Caching Only Name Server
3.4 Restrict Queries of the Cache - Caching Only	Unix	CIS BIND DNS v3.0.1 Caching Only Name Server
3.4 Restrict Queries of the Cache - Caching Only	Unix	CIS BIND DNS v3.0.0 Caching Only Name Server
3.101 - The system must be configured to ignore NetBIOS name release requests except from WINS servers.	Windows	DISA Windows Server 2008 MS STIG v6r46
3.101 - The system must be configured to ignore NetBIOS name release requests except from WINS servers.	Windows	DISA Windows 7 STIG v1r32
3.101 - The system must be configured to ignore NetBIOS name release requests except from WINS servers.	Windows	DISA Windows Server 2008 DC STIG v6r47
3.101 - The system must be configured to ignore NetBIOS name release requests except from WINS servers.	Windows	DISA Windows Server 2008 R2 MS STIG v1r33
3.101 - The system must be configured to ignore NetBIOS name release requests except from WINS servers.	Windows	DISA Windows Server 2008 R2 DC STIG v1r34
5.7.4 The default namespace should not be used	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L2
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set	Windows	CIS Windows Server 2012 MS L1 v2.1.0
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set	Windows	CIS Windows Server 2012 DC L1 v2.1.0
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0
18.4.6 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
18.4.6 Ensure 'MSS: Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
18.4.6 Ensure 'MSS: Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
18.4.7 'MSS: NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
18.4.7 'MSS: NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.1.0
18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set	Windows	CIS Microsoft Windows 8.1 L1 Bitlocker v2.3.0
18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set	Windows	CIS Microsoft Windows 8.1 L1 v2.3.0
18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
AIX7-00-002125 - AIX must request and perform data origin and integrity authentication verification on the name/address resolution responses the system receives from authoritative sources.	Unix	DISA STIG AIX 7.x v2r1
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Low
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Low

Detections

Analytics