Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
NIST 800-53 (r4) Supplemental Guidance:
Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22.
NIST 800-53 (r5) Discussion:
Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.
38North Guidance:
Meets Minimum Requirement:
Utilize separate, dedicated name server instances for authoritative and recursive functions (i.e., do not configure a single name server to provide authoritative and recursive functions).
Configure recursive and caching name servers to pass/request DNSSEC data and perform DNSSEC validation.
Best Practice:
Recursive name servers should be placed behind an organization’s firewall and configured to only accept queries from internal hosts (e.g., Stub Resolver host).
Enterprise firewalls should consider restricting outbound DNS traffic to only the enterprise’s designated recursive name servers.
Secure network communications to an from recursive name servers with FIPS 140-2 validated encryption.
Utilize latest version of name server software and configure the use of new security features.
Unofficial FedRAMP Guidance:
DNS forwarders do not have to be DNSSEC-aware.
Assessment Evidence:
Configuration showing that DNSSEC is enabled on recursive name servers. Recursive name servers should be configured to request and validate data origin authentication and integrity information from authoritative name servers.
Review the DNS server configuration to determine if recursion is being performed on an authoritative name server. If an authoritative name server also performs recursion, this may be a finding.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse