800-53|SC-22

Title

ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE

Description

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

Supplemental

Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).

Reference Item Details

Related: SC-2,SC-20,SC-21,SC-24

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure DNS server is configuredFortiGateCIS Fortigate 7.0.x v1.3.0 L1
1.3 Dedicated Name Server RoleUnixCIS BIND DNS v3.0.1 Authoritative Name Server
1.3 Dedicated Name Server RoleUnixCIS BIND DNS v3.0.0 Authoritative Name Server
1.3 Dedicated Name Server RoleUnixCIS BIND DNS v3.0.0 Caching Only Name Server
1.3 Dedicated Name Server RoleUnixCIS BIND DNS v3.0.1 Caching Only Name Server
3.1.16 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'microsoft_azureCIS Microsoft Azure Foundations v3.0.0 L2
5.7.4 The default namespace should not be usedOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L2
BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - zone allow-queryUnixDISA BIND 9.x STIG v2r2
BIND-9X-001054 - A BIND 9.x server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks - zone allow-queryUnixDISA BIND 9.x STIG v1r9
BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - zone allow-queryUnixDISA BIND 9.x STIG v2r2
BIND-9X-001055 - A BIND 9.x server implementation must prohibit recursion on authoritative name servers - zone allow-queryUnixDISA BIND 9.x STIG v1r9
BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone also-notifyUnixDISA BIND 9.x STIG v1r9
BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone also-notifyUnixDISA BIND 9.x STIG v2r2
BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone notify explicitUnixDISA BIND 9.x STIG v2r2
BIND-9X-001057 - The master servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated - zone notify explicitUnixDISA BIND 9.x STIG v1r9
BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - zone allow-notifyUnixDISA BIND 9.x STIG v2r2
BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - zone allow-notifyUnixDISA BIND 9.x STIG v1r9
BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - zone notify explicitUnixDISA BIND 9.x STIG v1r9
BIND-9X-001058 - The secondary name servers in a BIND 9.x implementation must be configured to initiate zone update notifications to other authoritative zone name servers - zone notify explicitUnixDISA BIND 9.x STIG v2r2
BIND-9X-001080 - A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients - allow-recursionUnixDISA BIND 9.x STIG v2r2
BIND-9X-001080 - A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients - allow-recursionUnixDISA BIND 9.x STIG v1r9
BIND-9X-001106 - The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions - zone keysUnixDISA BIND 9.x STIG v2r2
BIND-9X-001106 - The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions - zone keysUnixDISA BIND 9.x STIG v1r9
BIND-9X-001120 - A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes - zonesUnixDISA BIND 9.x STIG v1r9
BIND-9X-001120 - A BIND 9.x server must implement NIST FIPS-validated cryptography for provisioning digital signatures and generating cryptographic hashes - zonesUnixDISA BIND 9.x STIG v2r2
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - zoneUnixDISA BIND 9.x STIG v1r9
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - zoneUnixDISA BIND 9.x STIG v2r2
BIND-9X-001611 - Every NS record in a zone file on a BIND 9.x server must point to an active name server and that name server must be authoritative for the domain specified in that record.UnixDISA BIND 9.x STIG v2r2
BIND-9X-001611 - Every NS record in a zone file on a BIND 9.x server must point to an active name server and that name server must be authoritative for the domain specified in that record.UnixDISA BIND 9.x STIG v1r9
BIND-9X-001612 - On a BIND 9.x server all authoritative name servers for a zone must be located on different network segments.UnixDISA BIND 9.x STIG v1r9
BIND-9X-001612 - On a BIND 9.x server all authoritative name servers for a zone must be located on different network segments.UnixDISA BIND 9.x STIG v2r2
BIND-9X-001620 - On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.UnixDISA BIND 9.x STIG v2r2
BIND-9X-001620 - On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be valid for that zone.UnixDISA BIND 9.x STIG v1r9
BIND-9X-001621 - On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.UnixDISA BIND 9.x STIG v1r9
BIND-9X-001621 - On a BIND 9.x server all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed.UnixDISA BIND 9.x STIG v2r2
BIND-9X-001700 - On the BIND 9.x server a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.UnixDISA BIND 9.x STIG v1r9
BIND-9X-001700 - On the BIND 9.x server a zone file must not include resource records that resolve to a fully qualified domain name residing in another zone.UnixDISA BIND 9.x STIG v2r2
BIND-9X-001701 - On the BIND 9.x server CNAME records must not point to a zone with lesser security for more than six months.UnixDISA BIND 9.x STIG v2r2
BIND-9X-001701 - On the BIND 9.x server CNAME records must not point to a zone with lesser security for more than six months.UnixDISA BIND 9.x STIG v1r9
GEN001375 - For systems using DNS resolution, at least two name servers must be configuredUnixDISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - first name serverUnixDISA STIG for Oracle Linux 5 v2r1
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - first name serverUnixDISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - second name serverUnixDISA STIG for Oracle Linux 5 v2r1
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - second name serverUnixDISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries - recursionWindowsDISA Microsoft Windows 2012 Server DNS STIG v2r4
WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries - recursionWindowsDISA Microsoft Windows 2012 Server DNS STIG v1r14
WDNS-CM-000003 - The Windows 2012 DNS Server must prohibit recursion on authoritative name servers for which forwarders have not been configured for external queries - recursionWindowsDISA Microsoft Windows 2012 Server DNS STIG v2r1
WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS) - forwardersWindowsDISA Microsoft Windows 2012 Server DNS STIG v1r14
WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS) - forwardersWindowsDISA Microsoft Windows 2012 Server DNS STIG v2r4
WDNS-CM-000004 - Forwarders on an authoritative Windows 2012 DNS Server, if enabled for external resolution, must only forward to either an internal, non-AD-integrated DNS server or to the DoD Enterprise Recursive Services (ERS) - forwardersWindowsDISA Microsoft Windows 2012 Server DNS STIG v2r1