NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-20 — Secure Name/Address Resolution Service (Authoritative Source)
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
Supplemental Guidance
Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.
Practitioner Notes
Your authoritative DNS servers must provide data origin authentication and integrity verification — proving that DNS responses actually came from your server and were not tampered with in transit.
Example 1: Implement DNSSEC on your authoritative DNS zones. Sign your DNS zone files so resolvers can verify the authenticity of your DNS records. This prevents attackers from injecting fake DNS responses (DNS poisoning).
Example 2: On your internal Active Directory DNS, configure secure dynamic updates. Only authenticated, domain-joined machines can update DNS records, preventing unauthorized devices from registering rogue DNS entries that redirect traffic to malicious servers.