SC-21-727 Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Secure Name/Address Resolution Service (Recursive or Caching Resolver)

SC-21-727
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
System and Communications Protection
Protect
System Communications Protection
LOW, MOD, HIGH
P1
Yes
May 20, 2016

All Agency controlled information resources shall use an approved authoritative source for all domain name service queries, and block access to all other name services.

Lack of procedures to verify the authenticity and data integrity of the name/address resolution responses might result in potential breaks to the chain of trust in the DNS infrastructure.
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
An automated mechanism considers the authenticity and data integrity of the DNS trust levels.
The information system that provides name/address resolution service for local clients performs data origin authentication and data integrity verification on the resolution responses it receives from authoritative sources when requested by client systems.
Obtain procedures addressing secure addressing practices and ascertain if the organization performs data origin authentication and data integrity verification on the name/address resolution responses (such as recursive resolving or caching domain name system (DNS) servers)