7.7: Use of DNS Filtering Services

Sub-control 7.7 states that you must use Domain Name System (DNS) filtering services to help block access to known malicious domains.

Asset Type Security Function Implementation Groups
Network Protect 1, 2, 3

Dependencies

  • Sub-control 1.5: Maintain Asset Inventory Information

Inputs

  1. Endpoint Inventory: The list of endpoints to be audited. This can pulled sub-control 1.5.

  2. Accepted DNS services: The list of accepted DNS filtering services, such as Quad-9.

Operations

  1. For each endpoint in I1, collect its DNS configuration setting. Note appropriately and inappropriately configured endpoints.

Measures

Measure Definition
M1 = List of audited endpoints

A list of endpoints to be audited.

M2 = Count of items in M1

A count of the total number of items in M1.

M3 = List of appropriately configured endpoints A list of endpoints that are configured correctly.
M4 = Count of items in M3 A count of the total number of items in M3.
M5 = List of inappropriately configured endpoints A list of endpoints that are configured incorrectly.
M6 = Count of items in M5 A count of the total number of items in M5.

Metrics

DNS Filtering Coverage

Metric Calculation
The ratio of endpoints configured to use accepted DNS filtering service compared to the total number of endpoints which utilize DNS. M4 / M2

Traffic Analysis

Note: A second measurement could utilize traffic analysis to determine if any traffic is not being sent through the prescribed DNS services.