800-53|SC-21

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

Description

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Supplemental

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

Reference Item Details

Related: SC-20,SC-22

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure DNS server is configuredFortiGateCIS Fortigate 7.0.x v1.3.0 L1
2.1.6 Ensure DNS server is configured - secondaryCheckPointCIS Check Point Firewall L1 v1.1.0
2.1.6 Ensure DNS server is configured - tertiaryCheckPointCIS Check Point Firewall L1 v1.1.0
3.1.16 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'microsoft_azureCIS Microsoft Azure Foundations v3.0.0 L2
3.2 Restrict Recursive Queries - Caching Name ServerUnixCIS BIND DNS v3.0.1 Caching Only Name Server
3.4 Restrict Queries of the Cache - Caching OnlyUnixCIS BIND DNS v3.0.1 Caching Only Name Server
5.7.4 The default namespace should not be usedOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L2
18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
Big Sur - Secure Name Address Resolution ServiceUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Secure Name Address Resolution ServiceUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Secure Name Address Resolution ServiceUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Secure Name Address Resolution ServiceUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Secure Name Address Resolution ServiceUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Low
Big Sur - Secure Name Address Resolution ServiceUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Secure Name Address Resolution ServiceUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Secure Name Address Resolution ServiceUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Catalina - Secure Name Address Resolution ServiceUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Secure Name Address Resolution ServiceUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Secure Name Address Resolution ServiceUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Secure Name Address Resolution ServiceUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Secure Name Address Resolution ServiceUnixNIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Secure Name Address Resolution ServiceUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Secure Name Address Resolution ServiceUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Secure Name Address Resolution ServiceUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
EX19-ED-000224 - The Exchange Edge server must point to a trusted list of DNS servers for external and internal resolution.WindowsDISA Microsoft Exchange 2019 Edge Server STIG v2r1
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server 2016 DC v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server 2019 DC v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server 2019 MS v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server v1909 DC v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 10 v21H2 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 10 v22H2 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 11 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 11 v23H2 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server 1903 DC v1.19.9
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 10 1803 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 10 1903 v1.19.9
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server 2022 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server v1909 MS v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server 2016 MS v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 10 v21H1 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 11 v22H2 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 10 1909 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 10 v1507 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server v2004 DC v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server v2004 MS v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows Server v20H2 MS v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 11 v24H2 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 10 v2004 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversWindowsMSCT Windows 10 v20H2 v1.0.0