800-53|SC-22

Title

ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE

Description

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

Supplemental

Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-2,SC-20,SC-21,SC-24

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Ensure DNS server is configured	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
1.3 Dedicated Name Server Role	Unix	CIS BIND DNS v3.0.1 Authoritative Name Server
1.3 Dedicated Name Server Role	Unix	CIS BIND DNS v3.0.1 Caching Only Name Server
3.1.16 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L2
5.7.4 The default namespace should not be used	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L2
GEN001375 - For systems using DNS resolution, at least two name servers must be configured	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - first name server	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - first name server	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - second name server	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN001375 - For systems using DNS resolution, at least two name servers must be configured - second name server	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit

Detections

Analytics