Configure the network to limit zone transfers to trusted servers., CC ID: 01876
Register all Domain Names associated with the organization to the organization and not an individual., CC ID: 07210
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Proper configuration of routers to meet an organization's system requirements is called for. (§ V.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
Does the system disable recursion and glue fetching to defend against Domain Name Server cache poisoning? (App Table Active Content Filtering Row 2.g, OECD / World Bank Technology Risk Checklist, Version 7.3)
Services should be disabled when not in use. (§ 1.2 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, 1)
Domain Name Servers should be deployed in a structured, hierarchical way with the internal network clients configured to send requests to intranet servers, not servers on the Internet. (Critical Control 19.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization should enable Domain Name System query logging. (Critical Control 5.16, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
In the event their use is required CSP DNS services including URL redirection and dynamic DNS solutions along with implemented DNS protections will be assessed and approved as appropriate for the CSO's DoD PA. CSP DNS services must be protected using a DNS proxy and must support DNSSec. The DoD PA w… (Section 5.10.4.2 ¶ 7, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
The DNS system should be secure. Increased use of address verification and out-of-band management is also recommended. (Pg 30, Pg 31, The National Strategy to Secure Cyberspace, February 2003)
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
Technical Mechanisms:
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA
Parameters:
(1) enabled/disabled
References:
CCE-896
8.3.9.2 Network… (CCE-3443-9, Common Configuration Enumeration List, Combined XML: Windows Server 2003, 5.20130214)
Restrict services that could be used in DoS attacks, such as configuring the DNS servers to not permit recursion. (§ 4.2.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)