NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-22 — Architecture and Provisioning for Name/Address Resolution Service
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.
Supplemental Guidance
Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).
Practitioner Notes
Design your DNS architecture for fault tolerance and security — redundant servers, separation of authoritative and recursive functions, and proper capacity planning.
Example 1: Deploy at least two DNS servers in different physical locations (or availability zones in the cloud). If one server goes down, the other continues resolving queries. Use Active Directory-integrated DNS for automatic replication between domain controllers.
Example 2: Separate your authoritative DNS (what the internet sees) from your recursive DNS (what your internal users query). Run authoritative DNS on dedicated servers in the DMZ and recursive DNS on internal servers. This prevents external queries from poisoning your internal DNS cache.