Domain Name System (DNS) Services Management Configuration Requirements

On this page

1. Domain registration
2. DNS records management
3. DNS services
4. DNS infrastructure security
5. System management
6. Monitoring

1. Domain registration

1.1 Register all domains and subdomains owned by the Government of Canada (GC) in the Central Domain Registry Service and include up-to-date business and technical contact information.

1.2 Submit requests for new domains as follows:

• 1.2.1 New canada.ca subdomains: Principal Publisher Service Desk;
• 1.2.2 New gc.ca subdomains: Central Domain Registry Service; and
• 1.2.3 All other domains: Central Domain Registry Service.

1.3 Review adjacent domain names and register them as appropriate to reduce the risk of phishing or domain squatting.

1.4 Ensure that domains are de-registered when no longer required.

2. DNS records management

2.1 Use DNS management systems to automate enabling, disabling and deleting of DNS records.

2.2 Ensure that all DNS-related records point to valid and active GC resources (for example, CNAME, A and PTR records).

2.3 Disable or purge static DNS records for assets and services within 24 hours of decommissioning.

2.4 Ensure that purges of cached DNS records and associated signatures are synchronized.

2.5 Remove service records within 30 days of their expiration or public release.

• 2.5.1 Automate service record deletion where possible to maintain asset integrity.

3. DNS services

3.1 Leverage GC-approved and -hosted DNS services that:

• 3.1.1 Prohibit zone transfers to unauthorized devices;
• 3.1.2 Employ DNS recursion;
• 3.1.3 Provide DNS Security (DNSSEC) validation;
• 3.1.4 Leverage DNS resolvers that are configured with a minimum of one of the following mitigations:
  • 3.1.4.1 DNS protective services from a GC-approved third-party or internal service;
  • 3.1.4.2 Commercially available threat intelligence feeds; or
  • 3.1.4.3 Upstream recursive resolvers that use DNS firewalls (for example, the Canadian Internet Registration Authority (CIRA) DNS firewall);
• 3.1.5 Encrypt all DNS queries over non-trusted networks such as the Internet or other external networks using DNS-over-TLS (DoT) where DoT:
  • 3.1.5.1 Is configured to authenticate DNS servers in accordance with the Cyber Centre’s Guidance on Securely Configuring Network Protocols (ITSP.40.062); and
  • 3.1.5.2 Disables DNS-over-HTTPS (DoH);
• 3.1.6 Disable encryption for DNS queries on internal GC networks;
• 3.1.7 Enable DNSSEC signing authorities using approved encryption algorithms;
• 3.1.8 Require signature validation on GC enterprise DNS resolvers; and
• 3.1.9 Enforce mutual authentication for DNS record exchanges.

3.2 Ensure that all DNS services hosted in public cloud environments are configured to forward queries exclusively to GC enterprise DNS resolvers.

4. DNS infrastructure security

4.1 Block unauthorized DNS traffic at network boundaries and route approved requests through designated GC enterprise or authoritative servers.

4.2 Implement access controls to ensure that only authorized DNS clients can access GC DNS services.

4.3 Use approved cryptographic algorithms in accordance with the Cyber Centre’s Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information: ITSP.40.111.

5. System management

5.1 Enforce phishing-resistant multi-factor authentication for users who have the ability to change DNS records.

5.2 Employ strict access controls to infrastructure that hosts DNS zone files or provides DNS services for GC domains.

5.3 Implement robust change control processes to manage any changes to zone files.

5.4 Keep DNS software and services up to date and review the developer’s configuration recommendations regularly, as they are likely to change over time as new threats emerge.

5.5 Maintain and harden the server’s operating system.

6. Monitoring

6.1 Regularly review and audit:

• 6.1.1 The configuration of DNS zone files for signs of compromise;
• 6.1.2 Network traffic logs to identify misbehaving hosts attempting to perform DNS resolution against non-GC-enterprise DNS resolvers;
• 6.1.3 Clients of public DNS records on all authoritative and secondary DNS servers to verify that they resolve to the intended location; and
• 6.1.4 Access to critical infrastructure that hosts DNS services.

6.2 Configure logging of all DNS queries and responses at internal recursive resolvers, including, at a minimum, all queried domains and response records, and in accordance with the GC’s Event Logging Guidance.

6.3 Forward event logs that are protected from unauthorized modification and deletion using the Cyber Centre’s approved cryptographic safeguards to a central logging facility for processing, storage, monitoring and analysis.