NIST 800-53 r5 · Controls catalogue · Family SC
SC-20Secure Name/Address Resolution Service (Authoritative Source)
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (14)
- T1071 Application Layer Protocol Command And Control
- T1071.001 Web Protocols Command And Control
- T1071.002 File Transfer Protocols Command And Control
- T1071.003 Mail Protocols Command And Control
- T1071.004 DNS Command And Control
- T1553.004 Install Root Certificate Defense Impairment
- T1566 Phishing Initial Access
- T1566.001 Spearphishing Attachment Initial Access
- T1566.002 Spearphishing Link Initial Access
- T1568 Dynamic Resolution Command And Control
- T1568.002 Domain Generation Algorithms Command And Control
- T1598 Phishing for Information Reconnaissance
- T1598.002 Spearphishing Attachment Reconnaissance
- T1598.003 Spearphishing Link Reconnaissance
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-347 | Improper Verification of Cryptographic Signature | 778 | Requires cryptographic signatures on authoritative data and support for verifying the chain of trust. |
CWE-345 | Insufficient Verification of Data Authenticity | 643 | Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data. |
CWE-290 | Authentication Bypass by Spoofing | 631 | Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source. |
CWE-346 | Origin Validation Error | 548 | Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms. |
CWE-940 | Improper Verification of Source of a Communication Channel | 45 | Provides the means to verify the source of name-resolution responses instead of relying on unauthenticated channels. |
CWE-353 | Missing Support for Integrity Check | 37 | Supplies the integrity-check artifacts (e.g., RRSIG, DNSKEY) that were previously missing for DNS responses. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-30132 | 1.8 | 9.1 | 0.0008 | good |
CVE-2026-41272 | 1.4 | 7.1 | 0.0004 | good |
CVE-2025-31116 | 0.9 | 4.4 | 0.0031 | good |