Requirement text: SC.3.192: Implement Domain Name System (DNS) filtering services.
DISCUSSION FROM SOURCE: CIS CONTROLS V7.1
Minimize the attack surface and the opportunities for attackers to manipulate human
behavior through their interaction with web browsers and email systems.
Web browsers and email clients are very common points of entry and attack because of their
technical complexity, flexibility, and their direct interaction with users and with other
systems and websites. Content can be crafted to entice or spoof users into taking actions that
greatly increase risk and allow introduction of malicious code, loss of valuable data, and
other attacks. Since these applications are the main means that users interact with untrusted
environments, these are potential targets for both code exploitation and social engineering.
This practice is based on the following CIS control:
7.7 Use Domain Name System (DNS) filtering services to help block access to known
malicious domains.
CMMC CLARIFICATION
Domain Name System (DNS) filtering blocks access to certain websites or IP addresses. The
organization should use DNS to prevent access to known malicious websites or categories of
websites. The DNS filtering will prevent users from receiving an IP address for the blocked
domain names. A commercial DNS filtering service can be used.
Example
You are in charge of IT operations for your company. Part of your role is to implement web
browser protections. To do this, you purchase a commercial DNS filtering application or
service and configure your enterprise environment to use the service. The configuration
blocks users from being able to access known malicious websites. The application provider
is responsible for ensuring it has the latest list of known malicious websites. As an
administrator, you can update this filtering mechanism for your organization, as
appropriate, to provide additional DNS blocking or to allow previously blocked websites.
References
• CMMC
• CIS Controls v7.1 7.7
• NIST SP 800-53 Rev 4 SC-20