NIST 800-53 r5 · Controls catalogue · Family SC
SC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver)
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (7)
- T1071 Application Layer Protocol Command And Control
- T1071.001 Web Protocols Command And Control
- T1071.002 File Transfer Protocols Command And Control
- T1071.003 Mail Protocols Command And Control
- T1071.004 DNS Command And Control
- T1568 Dynamic Resolution Command And Control
- T1568.002 Domain Generation Algorithms Command And Control
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-347 | Improper Verification of Cryptographic Signature | 778 | Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks. |
CWE-345 | Insufficient Verification of Data Authenticity | 643 | Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses. |
CWE-290 | Authentication Bypass by Spoofing | 631 | Directly counters DNS response spoofing by requiring cryptographic origin authentication before trusting resolved names/addresses. |
CWE-346 | Origin Validation Error | 548 | Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources. |
CWE-354 | Improper Validation of Integrity Check Value | 184 | Requires validation of integrity check values on every resolution response, directly mitigating tampered or corrupted DNS data. |
CWE-348 | Use of Less Trusted Source | 45 | Prevents use of less-trusted or adversarial sources by requiring proof of origin and integrity before accepting responses. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-71058 | 1.8 | 9.1 | 0.0014 | good |
CVE-2025-30132 | 1.8 | 9.1 | 0.0008 | good |
CVE-2025-59023 | 1.6 | 8.2 | 0.0001 | good |
CVE-2026-42255 | 1.4 | 7.2 | 0.0004 | good |
CVE-2023-53875 | 1.8 | 8.8 | 0.0036 | partial |
CVE-2026-32634 | 1.6 | 8.1 | 0.0002 | good |
CVE-2025-30140 | 1.5 | 7.5 | 0.0021 | good |
CVE-2026-1519 | 1.5 | 7.5 | 0.0003 | good |
CVE-2025-61939 | 1.8 | 8.8 | 0.0004 | good |
CVE-2026-41055 | 1.7 | 8.6 | 0.0005 | good |
CVE-2026-3104 | 1.5 | 7.5 | 0.0005 | partial |
CVE-2026-4437 | 1.5 | 7.5 | 0.0007 | partial |