Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.
NIST 800-53 (r4) Supplemental Guidance:
Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists). Related controls: SC-2, SC-20, SC-21, SC-24.
NIST 800-53 (r5) Discussion:
Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).
38North Guidance:
Meets Minimum Requirement:
Option 1: Single DNS server with a split DNS configuration for internal/external role separation architected for high availability and fault-tolerance.
Utilize a redundant pair of authoritative name servers, each configured for split DNS. Split DNS utilizes separate zone files for internal and external clients.
Ensure that the set of authoritative name servers is deployed across separate network segments (minimally) and geographical regions (preferably).
Option 2: Separate DNS servers for internal/external role separation architected for high availability and fault-tolerance.
Utilize two (2) sets of authoritative name servers: one (1) set located within a DMZ only accessible to external clients; and one (1) set located internally, inaccessible to external clients and for the exclusive use of internal clients.
Ensure that each set of authoritative name servers is deployed across separate network segments (minimally) and geographical regions (preferably).
For options 1 and 2, ensure that supporting recursive/caching/forwarding name servers are deployed redundantly across network segments (minimally) and geographical regions (preferably).
Best Practice:
For each name server function (e.g., authoritative, recursive/forwarding/caching), utilize redundant name server pairs deployed across separate network segments and geographical regions.
External DNS servers should not be able to resolve internal hostnames.
Utilize a hidden master authoritative name server and only have secondary servers visible on the network. This prevents potential attackers from targeting the master name server, as its IP address may not appear in the zone database.
Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Evidence of multiple authoritative name servers configured per role type and deployed across multiple network segments (minimally) and geographical regions (preferably).
Configuration showing that system components are configured to use two or more of each name server type: Authoritative and Recursive.
DNS configuration showing name/address resolution services are fault-tolerant and implement internal/external role separation.
Demonstration of DNS failover. If failover is not automated, assessors may ask for documented procedures for promoting a secondary name server to primary in the event the primary becomes unavailable.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse