lacework-global-259
3.3 Ensure That DNSSEC Is Enabled for Cloud DNS (Automated)
Profile Applicability
• Level 1
Description
Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.
Rationale
Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated. Having a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today’s web-based applications. Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.
Audit
From Console:
- Go to
Cloud DNSby visiting https://console.cloud.google.com/net-services/dns/zones. - For each zone of
TypePublic, ensure thatDNSSECis set toOn.
From Command Line:
- List all the Managed Zones in a project:
gcloud dns managed-zones list
- For each zone of
VISIBILITYpublic, get its metadata:
gcloud dns managed-zones describe ZONE_NAME
- Ensure that
dnssecConfig.stateproperty ison.
Remediation
From Console:
- Go to
Cloud DNSby visiting https://console.cloud.google.com/net-services/dns/zones. - For each zone of
TypePublic, setDNSSECtoOn.
From Command Line:
Use the below command to enable DNSSEC for Cloud DNS Zone Name.
gcloud dns managed-zones update ZONE_NAME --dnssec-state on
References
https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html
https://cloud.google.com/dns/dnssec-config#enabling
https://cloud.google.com/dns/dnssec