Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system:
(a) Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
(b) Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
NIST 800-53 (r4) Supplemental Guidance:
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC13, SC-21, SC-22.
NIST 800-53 (r5) Discussion:
Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.
38North Guidance:
Meets Minimum Requirement:
Utilize separate, dedicated name server instances for authoritative and recursive functions (i.e., do not configure a single name server to provide authoritative and recursive functions). Disable recursion on the authoritative name server.
Configure the authoritative name server with DNSSEC enabled.
Configure an authoritative name server to sign all zones and update the entire chain of trust with the signature.
Configure each child zone to upload its Delegation Signer (DS) record to the parent zone. A DS record is created when the parent zone digitally signs the hash of a child zone's public key. DS records are stored in the parent zone and establish a chain of trust between parent and child zones.
Best Practice:
Create a named list of trusted hosts for each of the different types of DNS transactions (e.g., query/response, zone transfer, dynamic update, etc.). Trusted hosts include, but are not limited to: DMZ hosts defined in any of the zones in the enterprise; All secondary name servers allowed to initiate zone transfers; and Internal hosts allowed to perform recursive queries.
Utilize Hash-Based Message Authentication Codes (HMAC) for zone transfers and dynamic updates (DNSSEC provides protection for DNS query/response transactions). Generate a unique key for each pair of communicating hosts within the DNS architecture.
Ensure that the host on which the DNS software resides contains a hardened operating system with the latest patches. Configure the host to provide DNS services only (i.e., restrict incoming ports/protocols to 53/UDP and 53/TCP, and configure outgoing DNS messages to send via a random port). Limit the number of or remove all non-DNS services running on the host.
Filter DNS traffic through a security appliance that checks the domain against a list of bad domains. This is a common feature on next generation firewalls, Intrusion Prevention Systems (IPS), etc.
Utilize the latest version of name server software and configure the use of new security features.
Run the name server software as a non-privileged user with access restricted to specified directories.
Disable version query for DNS software.
Ensure that only authorized clients can update DNS zone records.
Utilize FIPS 140-2 validated cryptographic modules for DNSSEC digital signatures, and encryption of data at rest (e.g., DNS zone data, etc.) and in transit (e.g., network communications between DNS clients and servers).
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration showing that DNSSEC is enabled on all authoritative name servers.
Verify that the zones hosted by the authoritative name server have been digitally signed.
Verify that the hash of each child zone's public key matches the corresponding DS record from the parent zone.
Review the DNS server configuration to determine if recursion is being performed on an authoritative name server. If an authoritative name server also performs recursion, this may be a finding.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse