7.7: Use of DNS Filtering Services
Sub-control 7.7 states that you must use Domain Name System (DNS) filtering services to help block access to known malicious domains.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Network | Protect | 1, 2, 3 |
Dependencies
- Sub-control 1.5: Maintain Asset Inventory Information
Inputs
-
Endpoint Inventory: The list of endpoints to be audited. This can pulled sub-control 1.5.
-
Accepted DNS services: The list of accepted DNS filtering services, such as Quad-9.
Operations
-
For each endpoint in I1, collect its DNS configuration setting. Note appropriately and inappropriately configured endpoints.
Measures
| Measure | Definition |
|---|---|
| M1 = List of audited endpoints |
A list of endpoints to be audited. |
|
M2 = Count of items in M1 |
A count of the total number of items in M1. |
| M3 = List of appropriately configured endpoints | A list of endpoints that are configured correctly. |
| M4 = Count of items in M3 | A count of the total number of items in M3. |
| M5 = List of inappropriately configured endpoints | A list of endpoints that are configured incorrectly. |
| M6 = Count of items in M5 | A count of the total number of items in M5. |
Metrics
DNS Filtering Coverage
| Metric | Calculation |
|---|---|
| The ratio of endpoints configured to use accepted DNS filtering service compared to the total number of endpoints which utilize DNS. | M4 / M2 |
Traffic Analysis
Note: A second measurement could utilize traffic analysis to determine if any traffic is not being sent through the prescribed DNS services.