>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-22Architecture and Provisioning for Name/address Resolution Service

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers--one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility).

For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).

>Programmatic Queries

Beta

Related Services

Route 53
Route 53 Resolver
VPC

CLI Commands

Check DNS resolution settings
aws ec2 describe-vpc-attribute --vpc-id VPC_ID --attribute enableDnsSupport
List VPC DNS hostnames
aws ec2 describe-vpc-attribute --vpc-id VPC_ID --attribute enableDnsHostnames
Check resolver endpoints in AZs
aws route53resolver list-resolver-endpoint-ip-addresses --resolver-endpoint-id ENDPOINT_ID
List DNS query logs
aws route53resolver list-resolver-query-log-configs
Open AWS ConsoleDocumentation

>Related Controls

SC-2
SC-20
SC-21
SC-24

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of architecture and provisioning for name/address resolution service?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-22?

Technical Implementation:

  • How is architecture and provisioning for name/address resolution service technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that architecture and provisioning for name/address resolution service remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?
  • How is separation of duties or partitioning technically enforced?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-22?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.