800-53|SC-20

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

Description

The information system:

Supplemental

This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data.

Reference Item Details

Related: AU-10,SC-12,SC-13,SC-21,SC-22,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure DNS server is configured - dns server 1FortiGateCIS Fortigate Level 1 v1.0.0
1.1 Ensure DNS server is configured - dns server 2FortiGateCIS Fortigate Level 1 v1.0.0
1.5.7 Ensure DNS is servers are configured - nameserver 1UnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.5.7 Ensure DNS is servers are configured - nameserver 2UnixCIS Amazon Linux 2 STIG v1.0.0 L3
2.1.6 Ensure DNS server is configured - primaryCheckPointCIS Check Point Firewall L1 v1.1.0
2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L2
3.1 Ensure DNS services are configured correctly - name-serverCiscoCIS Cisco Firewall v8.x L1 v4.2.0
3.2 Restrict Recursive Queries - Authoritative Name ServerUnixCIS BIND DNS v3.0.1 Authoritative Name Server
3.3 Restrict Query OriginsUnixCIS BIND DNS v3.0.1 Caching Only Name Server
3.3 Restrict Query OriginsUnixCIS BIND DNS v3.0.1 Authoritative Name Server
3.4 Restrict Queries of the Cache - Authoritative OnlyUnixCIS BIND DNS v3.0.1 Authoritative Name Server
5.4 CIFS - 'dns.domainname has been configured'NetAppTNS NetApp Data ONTAP 7G
5.4 CIFS - 'dns.enable = on'NetAppTNS NetApp Data ONTAP 7G
5.4 CIFS - 'dns.update.enable = on or secure'NetAppTNS NetApp Data ONTAP 7G
5.7.4 The default namespace should not be used - BuildConfigsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - BuildsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - CronJobsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - DaemonSetsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - DeploymentConfigsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - DeploymentsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - HorizontalPodAutoScalersOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - ImageStreamsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - JobsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - PodsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - ReplicaSetsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - ReplicationControllersOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - RoutesOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - ServicesOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
5.7.4 The default namespace should not be used - StatefulSetsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L2
6.1 Ensure Root Domain Alias Record Points to ELBamazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
6.2 Ensure a DNS alias record for the root domainamazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
7.4 Ensure Either SPF or DKIM DNS Records are ConfiguredUnixCIS BIND DNS v1.0.0 L2 Authoritative Name Server
8.3 Ensure Any Signing Keys using RSA Have a Length of 2048 or GreaterUnixCIS BIND DNS v1.0.0 L2 Authoritative Name Server
Adtran : Ensure a trusted, primary DNS server is setAdtranTNS Adtran AOS Best Practice Audit
Adtran : Ensure a trusted, secondary DNS server is setAdtranTNS Adtran AOS Best Practice Audit
DNS Profile - Address - DNS Server 1Cisco_ACITenable Cisco ACI
DNS Profile - Address - DNS Server 2Cisco_ACITenable Cisco ACI
DNS: A trusted primary DNS server is configuredAlcatelTNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit
DNS: A trusted secondary DNS server is configuredAlcatelTNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit
Ensure DNS services are configured correctly - name-serverCisco_FirepowerTenable Cisco Firepower Threat Defense Best Practices Audit
Ensure DNS services are configured correctly - name-serverCiscoTenable Cisco Firepower Best Practices Audit
FireEye - The appliance uses a trusted DNS serverFireEyeTNS FireEye
Fortigate - DNS - primary serverFortiGateTNS Fortigate FortiOS Best Practices v2.0.0
Fortigate - DNS - secondary serverFortiGateTNS Fortigate FortiOS Best Practices v2.0.0
Secure Name/address Resolution Service - Configure DNS servers - PrimaryCisco_ViptelaTenable Cisco Viptela SD-WAN - vSmart
Secure Name/address Resolution Service - Configure DNS servers - PrimaryCisco_ViptelaTenable Cisco Viptela SD-WAN - vEdge
Secure Name/address Resolution Service - Configure DNS servers - PrimaryCisco_ViptelaTenable Cisco Viptela SD-WAN - vManage
Secure Name/address Resolution Service - Configure DNS servers - PrimaryCisco_ViptelaTenable Cisco Viptela SD-WAN - vBond
SonicWALL - Review the DNS Server SettingsSonicWALLTNS SonicWALL v5.9
WDNS-SC-000003 - The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r5