Domain Name System (DNS) Services Management Configuration Requirements
On this page
1. Registration
1.1 All domains and subdomains owned by the GC must be reported to the central domain registry service, including up-to-date business and technical contact information.
1.2 Departments are expected to submit requests for new domains to the Principal Publisher Service Desk.
2. Configuration
2.1 Configure DNS to prohibit zone transfers to unauthorized devices.
2.2 Enable DNSSEC validation on GC Enterprise DNS Resolvers.
2.3 Enable DNS over HTTPS (DoH) and / or DNS over TLS (DoT) on GC Enterprise DNS Resolvers.
2.4 Enable logging of all DNS queries and responses, including, at a minimum, all queried domains and response records, and the IP flow information of the requesting host (source and destination IP addresses and ports, and transport protocol). Logs must be accessible in a way that allows for analysis of malicious activity.
2.5 Configure DNS Resolvers to implement DNS firewalling based on any or all of the following:
- 2.5.1 Canadian Centre for Cyber Security Response Policy Zone (RPZ) feed;
- 2.5.2 Commercial threat intelligence feeds; and
- 2.5.3 Upstream recursive resolvers which implement DNS firewalling.
2.6 Configure desktop services and applications to use GC Enterprise DNS Resolution services.
3. System management
3.1 Multi-factor authentication (MFA) is used to authenticate all users making changes to DNS records.
3.2 Employ strict access controls to infrastructure hosting DNS zone files or providing DNS services for GC domains.
3.3 Implement robust change control processes to manage any changes to zone files.
3.4 Keeping DNS software and services up to date and review the developer’s configuration recommendations regularly, as they are likely to change over time as new threats emerge.
3.5 Maintain and harden the server’s operating system.
4. Systems monitoring
4.1 Regularly review the configuration of DNS zone files to ensure that what is present is expected.
4.2 Regularly audit network traffic logs to identify misbehaving hosts attempting to perform DNS resolution against non-GC-enterprise DNS resolvers.
4.3 Provide regular audits to clients of public DNS records on all authoritative and secondary DNS servers to verify that they resolve to the intended location.
4.4 Monitor and record access to critical infrastructure hosting DNS services.
Page details
- Date modified: