Ensure That DNSSEC Is Enabled for Cloud DNS

MEDIUM

Description

Description:

Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.

Rationale:

Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated. Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today's web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.

Remediation

From Google Cloud Console

Go to 'Cloud DNS' by visiting https://console.cloud.google.com/net-services/dns/zones.
For each zone of 'Type' 'Public', set 'DNSSEC' to 'On'.

From Google Cloud CLI

Use the below command to enable 'DNSSEC' for Cloud DNS Zone Name.

gcloud dns managed-zones update ZONE_NAME --dnssec-state on

Policy Details

Rule Reference ID: AC_GCP_0014

CSP: GCP

Remediation Available: Yes

Domain: Infrastructure Security

Resource: google_dns_managed_zone

Resource Category: Virtual Network

Resource Type: Cloud DNS

Frameworks

CIS Google Cloud Platform Foundations v2.0.0 Level 1
CIS Google Cloud Platform Foundations v1.3.0 Level 1
CSCv8
NIST-800-53
NIST-800-171
NIST-CSF
GDPR
HIPAA
CSCv7
SOC2
CIS Google Cloud Platform Foundations v1.2.0 Level 1

Detections

Analytics