SC-20 / SC-21 / SC-22 NIST SP 800-81-2

Recursive resolvers hardened

Demonstrate that all recursive DNS resolvers are configured with access controls, recursion restrictions, rate limiting, DNSSEC validation, and logging to prevent abuse and ensure integrity of DNS resolution.

Description

What this control does

Recursive DNS resolvers must be hardened against abuse by restricting queries to authorized clients, disabling open recursion, implementing rate limiting, and enabling DNSSEC validation. Without hardening, recursive resolvers can be exploited for DNS amplification attacks, cache poisoning, or reconnaissance activities. This control ensures that recursive resolvers operate securely within defined trust boundaries and validate responses cryptographically to prevent manipulation.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Attackers leverage open recursive resolvers to conduct DNS amplification distributed denial-of-service attacks against third-party targets
Cache poisoning attacks inject fraudulent DNS records into resolver caches, redirecting users to malicious sites
Unauthorized external clients abuse internal recursive resolvers for reconnaissance or data exfiltration via DNS tunneling
Resource exhaustion attacks overwhelm recursive resolvers with excessive queries, causing service degradation or outage
Man-in-the-middle attackers intercept and modify DNS responses when DNSSEC validation is disabled, compromising destination authenticity
DNS query floods exploit unprotected resolvers to conduct reconnaissance of internal network topology and service inventory
Spoofed source IP queries cause resolver to send responses to unintended victims, facilitating reflection attacks

Testing procedure

How an auditor verifies this control

Inventory all recursive DNS resolvers deployed in the environment, including on-premises servers, cloud-managed services, and appliances.
Retrieve current configuration files or management console exports from each identified recursive resolver.
Verify that recursion is explicitly disabled for external queries or that access control lists restrict recursion to authorized internal networks only.
Review rate-limiting or query throttling configurations to confirm thresholds are defined and active for queries per client and queries per second.
Confirm DNSSEC validation is enabled by inspecting resolver configuration and testing with a known DNSSEC-signed domain and a known invalid signature.
Examine logging configurations to verify that query logs, error logs, and security events are captured and retained according to policy.
Perform an external port scan or query attempt from an unauthorized IP address to validate that recursion is denied or blocked.
Review change management records or baseline documentation to confirm hardening standards are defined and consistently applied during deployment.

Evidence required Configuration files or screenshots from DNS resolver management interfaces showing ACLs, recursion settings, rate limits, and DNSSEC validation status. Query logs demonstrating denied recursion attempts from unauthorized sources. Test results from DNSSEC validation checks using diagnostic tools or known test domains.

Pass criteria All recursive resolvers restrict recursion to authorized clients via ACLs or network segmentation, implement rate limiting, enable DNSSEC validation, and log queries, with no open recursion exposed to external or untrusted networks.

Where this control is tested

Audit programs including this control

DNS & Email Hygiene

SPF, DKIM, DMARC, DNSSEC and recursive-resolver hardening — the basics of internet plumbing you probably forgot to check.