Reference: CMMC 1.02
Level Introduced: 3
Implement Domain Name System (DNS) filtering services.
Domain Name System (DNS) filtering blocks access to certain websites or IP addresses. The organization should use DNS to prevent access to known malicious websites or categories of websites. The DNS filtering will prevent users from receiving an IP address for the blocked domain names. A commercial DNS filtering service can be used.
You are in charge of IT operations for your company. Part of your role is to implement web browser protections. To do this, you purchase a commercial DNS filtering application or service and configure your enterprise environment to use the service. The configuration blocks users from being able to access known malicious websites. The application provider is responsible for ensuring it has the latest list of known malicious websites. As an administrator, you can update this filtering mechanism for your organization, as appropriate, to provide additional DNS blocking or to allow previously blocked websites.
SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
The information system:
a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22.