800-53|SC-20a.

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)

Description

Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.2.1 Restrict Recursive QueriesUnixCIS ISC BIND 9.0/9.5 v2.0.0
3.2.2 Restrict Query Origins 'allow-query'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.2.3 Restrict Access to Cache 'allow-query-cache'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.2.3 Restrict Access to Cache 'allow-recursion'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.3.2 Include TSIG key in named.conf 'TSIG key 1'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.3.2 Include TSIG key in named.conf 'TSIG key 2'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.4 Restrict Zone-Transfers 'Zone Transfer Server 1'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.4 Restrict Zone-Transfers 'Zone Transfer Server 2'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.1 Using Update Policy 'grant'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.1 Using Update Policy 'keys'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.1 Using Update Policy 'zone'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'algorithm'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'key'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'tkey-domain'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.5.2 Enable GSS-TSIG 'tkey-gssapi-credential'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.6 Implement DNSSEC 'dnssec-enable'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.6 Implement DNSSEC 'dnssec-validation'UnixCIS ISC BIND 9.0/9.5 v2.0.0
3.6 Implement DNSSEC 'INCLUDE'UnixCIS ISC BIND 9.0/9.5 v2.0.0
4.3 Use Unique Keys for Each Pair of Hosts - unique secretUnixCIS BIND DNS v3.0.1 Authoritative Name Server
4.3 Use Unique Keys for Each Pair of Hosts - unique secretUnixCIS BIND DNS v3.0.1 Caching Only Name Server
7.2 Enable DNSSEC Validation - dnssec-enableUnixCIS BIND DNS v3.0.1 Caching Only Name Server
7.2 Enable DNSSEC Validation - dnssec-validationUnixCIS BIND DNS v3.0.1 Caching Only Name Server
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - dnssec-enableUnixDISA BIND 9.x STIG v2r2
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - KSKUnixDISA BIND 9.x STIG v2r2
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - zoneUnixDISA BIND 9.x STIG v2r2
BIND-9X-001200 - A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information - ZSKUnixDISA BIND 9.x STIG v2r2
EX13-EG-000080 - Exchange Internet-facing Send connectors must specify a Smart Host.WindowsDISA Microsoft Exchange 2013 Edge Transport Server STIG v1r5
EX13-MB-000105 - Exchange Internet-facing Send connectors must specify a Smart Host.WindowsDISA Microsoft Exchange 2013 Mailbox Server STIG v2r2
EX16-ED-000160 - Exchange Internet-facing Send connectors must specify a Smart Host.WindowsDISA Microsoft Exchange 2016 Edge Transport Server STIG v2r3
EX16-MB-000210 - Exchange Internet-facing Send connectors must specify a Smart Host.WindowsDISA Microsoft Exchange 2016 Mailbox Server STIG v2r4
WDNS-SC-000002 - The Windows 2012 DNS Server must include data origin with authoritative data the system returns in response to external name/address resolution queries.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r5
WDNS-SC-000006 - WINS lookups must be disabled on the Windows 2012 DNS Server.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r5
WDNS-SC-000007 - The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data integrity to DNS resolvers.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r5