Profile Applicability:

Level 1

Description:

Cloud DNS is a high-performance and cost-effective Domain Name System service provided by Google Cloud. Enabling Domain Name System Security Extensions (DNSSEC) for Cloud DNS enhances security by protecting domains from DNS hijacking, man-in-the-middle attacks, and other threats.

Rationale:

DNSSEC enhances DNS protocol security by cryptographically signing DNS records. This ensures the authenticity and integrity of DNS responses and prevents attackers from redirecting users to malicious sites via DNS hijacking or issuing fake DNS responses. Enabling DNSSEC mitigates the risk of malicious redirection and builds trust in domain/IP lookups.

Default Value:

By default, DNSSEC is not enabled for Cloud DNS zones.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud DNS page.

               

  1. Review all DNS zones of type Public.

               

  1. Verify that DNSSEC is set to On for each zone.

                 

Using Google Cloud CLI:

List all managed DNS zones in the project:

gcloud dns managed-zones list

For each zone with visibility Public, retrieve metadata:

gcloud dns managed-zones describe ZONE_NAME
  1. Check the dnssecConfig.state property. It should be set to on

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud DNS page.

                 

  1. For each Public zone:

    • Click the zone name.

                       

  • Set DNSSEC to On.

                         

Using Google Cloud CLI:

Enable DNSSEC for a specific Cloud DNS zone:

gcloud dns managed-zones update ZONE_NAME --dnssec-state on

References:

  1. Google Cloud Blog: DNSSEC in Cloud DNS

  2. Google Cloud Documentation: Enabling DNSSEC

  3. Google Cloud DNSSEC Overview

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.2 Secure Configuration for Network Devices

Maintain secure configuration for network devices, with annual reviews or after significant changes.

11.1 Standard Security Configurations

Ensure all authorized network devices follow documented and secure configuration standards.