Back

Configure the Domain Name System in accordance with organizational standards.


CONTROL ID
12202
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure the Domain Name System query logging to organizational standards., CC ID: 12210
  • Configure the secure name/address resolution service (recursive or caching resolver)., CC ID: 01625
  • Configure the secure name/address resolution service (authoritative source)., CC ID: 01624
  • Configure DNS records in accordance with organizational standards., CC ID: 17083


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. (CIS Control 4: Safeguard 4.9 Configure Trusted DNS Servers on Enterprise Assets, CIS Controls, V8)
  • DNS will be permitted from internal DNS servers to internet service provider DNS servers. This flexibility will allow name resolution of external IP addresses. (FIREWALL SECURITY PUBLIC ACCESS POLICY: ¶ 6 Bullet 1, Guideline 662G1: Systems Security, 662G1-00)
  • Name servers that deploy DNSSEC signed zones or query signed zones should be configured to perform DNSSEC processing. (DOMAIN NAME SYSTEM SECURITY SECURE DNS QUERY/RESPONSE: ¶ 1, Guideline 662G1: Systems Security, 662G1-00)
  • To prevent the release of information about which version of BIND is running on a system, name servers should be configured to refuse queries for “version.bind”. (DOMAIN NAME SYSTEM SECURITY SECURE DNS HOSTING ENVIRONMENT: ¶ 7, Guideline 662G1: Systems Security, 662G1-00)
  • Configure Windows 2000/2003 DNS to prohibit WINS lookup. (DOMAIN NAME SYSTEM SECURITY CONFIGURATION OF WINDOWS 2000/2003 DNS: WINS Integration: ¶ 1, Guideline 662G1: Systems Security, 662G1-00)
  • A name server instance should always be configured as either an authoritative name server or a resolving name server. An authoritative name server should have recursion turned off. (DOMAIN NAME SYSTEM SECURITY SECURE DNS HOSTING ENVIRONMENT: ¶ 2, Guideline 662G1: Systems Security, 662G1-00)
  • For split DNS implementation, there should be a minimum of two physical files or views. One should exclusively provide name resolution for hosts located inside the firewall. It also can contain resource record (RR) sets for hosts outside the firewall. The other file or view should provide name resol… (DOMAIN NAME SYSTEM SECURITY SECURE DNS HOSTING ENVIRONMENT: ¶ 4, Guideline 662G1: Systems Security, 662G1-00)
  • Disable recursion on an authoritative Windows 2000/2003 DNS server. (DOMAIN NAME SYSTEM SECURITY CONFIGURATION OF WINDOWS 2000/2003 DNS: Forwarders and Recursion: ¶ 2, Guideline 662G1: Systems Security, 662G1-00)
  • Agencies must use the .gov domain for all official state and agency web site URLs published on the Internet unless approved by the CIO (RESPONSIBILITIES: Agency Management, Information Technology Organization: Bullet 1, Policy 520: Domain Naming & Registration, 520-00)