IG2 IG3

Configure Trusted DNS Servers on Enterprise Assets

Control Group: 4. Secure Configuration of Enterprise Assets and Software

Asset Type: Devices

Security Function: Protect

Description

Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Define access control requirements based on least privilege

7

Implement role-based access control (RBAC)

8

Configure access review and recertification process

9

Monitor and audit privileged access usage

10

Implement DNS filtering/security solution

11

Configure blocking of known malicious domains

12

Enable DNS query logging and monitoring

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Cisco Secure Firewall Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall with application visibility, IPS, malware defense, and encrypted traffic analytics

Cisco · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

DNS Hijacking Redirecting Users to Malicious Sites

Integrity

Attackers compromise or spoof DNS responses to redirect enterprise users to phishing sites, malware distribution points, or man-in-the-middle proxy servers.

DNS Tunneling for Data Exfiltration

Confidentiality

Attackers use unauthorized or unmonitored DNS servers to tunnel data out of the network via DNS queries, bypassing content filtering and network monitoring controls.

Vulnerabilities (When Safeguard Absent)

No Trusted DNS Server Configuration

Without configured trusted DNS servers, enterprise assets may use arbitrary or attacker-controlled DNS resolvers, enabling phishing, malware delivery, and traffic interception.

DNS Resolution via Uncontrolled External Resolvers

Assets resolving DNS through public or ISP-provided servers bypass enterprise DNS security controls including filtering, logging, and sinkholing of malicious domains.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Record	Access review/recertification records with sign-off	Quarterly
Technical	Access control configuration evidence (RBAC settings, group memberships)	Reviewed quarterly
Technical	DNS filtering configuration and block statistics	Monthly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Mobile Device Management Policy

Control 4

Related Safeguards in Control 4

4.1 Establish and Maintain a Secure Configuration Process

4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure

4.3 Configure Automatic Session Locking on Enterprise Assets

4.4 Implement and Manage a Firewall on Servers

4.5 Implement and Manage a Firewall on End>User Devices

4.6 Securely Manage Enterprise Assets and Software

4.7 Manage Default Accounts on Enterprise Assets and Software

4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

4.10 Enforce Automatic Device Lockout on Portable End>User Devices

4.11 Enforce Remote Wipe Capability on Portable End>User Devices

4.12 Separate Enterprise Workspaces on Mobile End>User Devices