800-53|SC-21

Title

SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

Description

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Supplemental

Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-20,SC-22

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1 Ensure DNS server is configured	FortiGate	CIS Fortigate 7.0.x Level 1 v1.2.0
2.1.6 Ensure DNS server is configured - secondary	CheckPoint	CIS Check Point Firewall L1 v1.1.0
2.1.6 Ensure DNS server is configured - tertiary	CheckPoint	CIS Check Point Firewall L1 v1.1.0
2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'	microsoft_azure	CIS Microsoft Azure Foundations v2.1.0 L2
3.2 Restrict Recursive Queries - Caching Name Server	Unix	CIS BIND DNS v3.0.1 Caching Only Name Server
3.4 Restrict Queries of the Cache - Caching Only	Unix	CIS BIND DNS v3.0.1 Caching Only Name Server
5.7.4 The default namespace should not be used - BuildConfigs	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Builds	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - CronJobs	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - DaemonSets	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - DeploymentConfigs	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Deployments	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - HorizontalPodAutoScalers	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - ImageStreams	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Jobs	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Pods	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - ReplicaSets	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - ReplicationControllers	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Routes	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - Services	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.7.4 The default namespace should not be used - StatefulSets	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.4.7 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Low
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Secure Name Address Resolution Service	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Secure Name Address Resolution Service	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server 2016 MS v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server v20H2 DC v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server v2004 DC v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server 1903 MS v1.19.9
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows 11 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server v1909 DC v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server v2004 MS v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server 2019 DC v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server 2019 MS v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server 2022 v1.0.0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Windows	MSCT Windows Server v20H2 MS v1.0.0

Detections

Analytics