SC-21-727 Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Control ID

SC-21-727

Control Name

Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Control Category

System and Communications Protection

Functional Areas

Protect

Sub-Areas

System Communications Protection

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

All Agency controlled information resources shall use an approved authoritative source for all domain name service queries, and block access to all other name services.

Risk Statement

Lack of procedures to verify the authenticity and data integrity of the name/address resolution responses might result in potential breaks to the chain of trust in the DNS infrastructure.

Control Description

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Control Example

An automated mechanism considers the authenticity and data integrity of the DNS trust levels.

State Implementation

The information system that provides name/address resolution service for local clients performs data origin authentication and data integrity verification on the resolution responses it receives from authoritative sources when requested by client systems.

Testing Procedures

Obtain procedures addressing secure addressing practices and ascertain if the organization performs data origin authentication and data integrity verification on the name/address resolution responses (such as recursive resolving or caching domain name system (DNS) servers)