Profile Applicability:
Level 1
Description:
Cloud DNS is a high-performance and cost-effective Domain Name System service provided by Google Cloud. Enabling Domain Name System Security Extensions (DNSSEC) for Cloud DNS enhances security by protecting domains from DNS hijacking, man-in-the-middle attacks, and other threats.
Rationale:
DNSSEC enhances DNS protocol security by cryptographically signing DNS records. This ensures the authenticity and integrity of DNS responses and prevents attackers from redirecting users to malicious sites via DNS hijacking or issuing fake DNS responses. Enabling DNSSEC mitigates the risk of malicious redirection and builds trust in domain/IP lookups.
Default Value:
By default, DNSSEC is not enabled for Cloud DNS zones.
Audit Steps:
Using Google Cloud Console:
Navigate to the Cloud DNS page.
Review all DNS zones of type Public.
Verify that DNSSEC is set to On for each zone.
Using Google Cloud CLI:
List all managed DNS zones in the project:
gcloud dns managed-zones list
For each zone with visibility Public, retrieve metadata:
gcloud dns managed-zones describe ZONE_NAME
Check the dnssecConfig.state property. It should be set to on
Remediation Steps:
Using Google Cloud Console:
Navigate to the Cloud DNS page.
For each Public zone:
Click the zone name.
Set DNSSEC to On.
Using Google Cloud CLI:
Enable DNSSEC for a specific Cloud DNS zone:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on
References: