Back

Secure the Domain Name System.


CONTROL ID
00540
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Identify and control all network access controls., CC ID: 00529

This Control has the following implementation support Control(s):
  • Implement a fault-tolerant architecture., CC ID: 01626
  • Implement segregation of duties., CC ID: 11843
  • Configure the network to limit zone transfers to trusted servers., CC ID: 01876
  • Register all Domain Names associated with the organization to the organization and not an individual., CC ID: 07210


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Proper configuration of routers to meet an organization's system requirements is called for. (§ V.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the system disable recursion and glue fetching to defend against Domain Name Server cache poisoning? (App Table Active Content Filtering Row 2.g, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Services should be disabled when not in use. (§ 1.2 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, 1)
  • Domain Name Servers should be deployed in a structured, hierarchical way with the internal network clients configured to send requests to intranet servers, not servers on the Internet. (Critical Control 19.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should enable Domain Name System query logging. (Critical Control 5.16, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • In the event their use is required CSP DNS services including URL redirection and dynamic DNS solutions along with implemented DNS protections will be assessed and approved as appropriate for the CSO's DoD PA. CSP DNS services must be protected using a DNS proxy and must support DNSSec. The DoD PA w… (Section 5.10.4.2 ¶ 7, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The DNS system should be secure. Increased use of address verification and out-of-band management is also recommended. (Pg 30, Pg 31, The National Strategy to Secure Cyberspace, February 2003)
  • Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured. Technical Mechanisms: (1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA Parameters: (1) enabled/disabled References: CCE-896 8.3.9.2 Network… (CCE-3443-9, Common Configuration Enumeration List, Combined XML: Windows Server 2003, 5.20130214)
  • Restrict services that could be used in DoS attacks, such as configuring the DNS servers to not permit recursion. (§ 4.2.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)