RULE 169.00.12-001 - Domain Name Service (DNS) Resolution Standard

RULE 169.00.12-001. Domain Name Service (DNS) Resolution Standard

1. Purpose

Malware often exploits Domain Name Service (DNS) vulnerabilities to redirect network traffic to malicious websites. Due to security risks to entities on the state network, it is imperative to minimize the threat to state network DNS traffic. By requiring DNS queries to utilize trusted DNS resolvers to identify and locate computer systems and resources on the Internet, exposure to the risk of system compromise is minimized.

2. Scope

This standard statement applies to all state agencies, boards, commissions, and administrative sections of institutions of higher education whose traffic crosses the state network destined for the Internet.

3. Background

Arkansas Code Ann. Sections 25-4-105(a)(2)(M) and 25-4-105(a)(2)(0) gives the Department of Information Systems the authority to define standards, policies and specifications for state agencies and ensuring agencies' compliance with those policies, procedures and standards. In addition, the department develops information technology security policy for state agencies. The State Security Working Group, made up of representatives of state agencies and higher education, wrote the Domain Name Service Standard.

4. References

5. Standard

5.1 Entities whose traffic crosses the state network destined for the Internet:

5.1.1 Entities on the state network shall direct external DNS queries directly or indirectly destined for the Internet to the state-provided DNS resolvers.

5.1.2 Entities may also host their own name-caching servers with the servers configured to forward external DNS queries to state-provided DNS resolvers.

5.2 Entities whose traffic does not cross the state network destined for the Internet shall direct all external DNS queries to trusted DNS resolvers.

5.2.1 These entities may also use the state provided DNS resolvers if desired.

6. Procedures

The State Cyber Security Office reserves the right to audit for compliance with this standard. Furthermore, the State Cyber Security Office has the right to grant an exception or exclusion to any part of this standard. The Arkansas Division of Legislative Audit also audits for compliance with this standard.

7. Revision History

Date

Description of Change

6/13/2012

Original Standard Statement Published

8. Definitions

8.1 DNS: The primary purpose of the Domain Name System is to translate between host names and IP addresses via network queries.

8.2 DNS client: Also called a resolver - sends DNS queries to obtain host or IP information.

8.3 Malware: Any software, typically with a malicious intent, installed or running on a computer without the owner's informed consent.

8.4 Recursive Resolver: A DNS server that recursively queries for DNS records on behalf of clients.

8.5 State resolver: Department of Information Systems' managed recursive resolvers on the state network

8.6 State network: The Arkansas State Network includes the hardware, software, and services managed by the Department of Information Systems that make up a shared backbone for connecting state entities' local area networks together and to the Internet.

8.7 Trusted DNS Resolver: DNS service that will filter known malicious domains and maintain the integrity of DNS resolutions.

9. Related Resources

9.1 COBIT standards:

9.1.1 www.isaca.org/cobit.htm

9.2 DNS best practices:

9.2.1 Cisco: http://www.ciscosystems.com/web/about/security/intelligence/dnsbcp.html

9.2.2 Microsoft: http://technet.microsoft.com/en-us/library/cc778439(WS.10).aspx

9.2.3 Microsoft checklist:

http://technet.microsoft.com/enus/library/cc758341(WS. 10).aspx

10. Inquiries

Direct inquiries about this standard to:

Department of Information Systems

State Cyber Security Office

One Capitol Mall

Little Rock, Arkansas 72201

Phone: 501-682-2701

FAX: 501-682-4310

Email: itpolicyteam@arkansas.gov

DIS standards, policies and best practices can be found on the Internet at: http://www.dis.arkansas.gov/policiesStandards/Pages/default.aspx

(8/13/2012)

The following state regulations pages link to this page.