-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathdns_security.yaml
More file actions
89 lines (83 loc) · 3.71 KB
/
Copy pathdns_security.yaml
File metadata and controls
89 lines (83 loc) · 3.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
apiVersion: kopexa.io/v1alpha1
kind: Policy
metadata:
name: kopexa-dns-security
title: Kopexa DNS Security
version: 1.0.0
scoring_system: banded
groups:
- title: Networking
filter: asset.type == 'host'
checks:
- uid: kopexa-dns-security-google-workspaces-mx-records
- uid: kopexa-dns-security-no-cname-for-root-domain
- uid: kopexa-dns-security-no-ip-for-ns-mx-records
- uid: kopexa-dns-security-no-legacy-ms-365-mx-records
- uid: kopexa-dns-security-dnssec-enabled
- uid: kopexa-dns-security-no-wildcard
queries:
- uid: kopexa-dns-security-no-cname-for-root-domain
title: Ensure no CNAME is used for root domain
resource: dns
severity: high
query: resource.records.filter(r, r.type == 'CNAME').size() == 0
docs: This check ensures that the root domain does not have a CNAME record.
remediation: Replace the CNAME record at the root domain with an A or ALIAS record.
audit: Run `dig +short CNAME <domain>` and ensure it returns empty.
- uid: kopexa-dns-security-no-ip-for-ns-mx-records
title: Ensure NS and MX records are not pointing to IP addresses
resource: dns
severity: medium
query: |
resource.mx.size() > 0 &&
resource.mx.all(m, !m.name.matches(regex.ipv4) && !m.name.matches(regex.ipv6)) &&
resource.params['NS']['rData'].size() > 0 &&
resource.params['NS']['rData'].all(d, !d.matches(regex.ipv4) && !d.matches(regex.ipv6))
docs: This check ensures that DNS NS and MX records point to FQDNs, not IP addresses.
remediation: Update NS and MX records to point to FQDNs.
audit: Run `dig NS <domain>` and `dig MX <domain>` and verify they return names, not IPs.
- uid: kopexa-dns-security-no-legacy-ms-365-mx-records
title: Ensure legacy MX records are not used with Microsoft 365
resource: dns
severity: medium
query: |
resource.mx.all(m,
m.name != 'mail.outlook.com' &&
m.name != 'mail.messaging.microsoft.com' &&
m.name != 'mail.global.frontbridge.com' &&
m.name != 'mail.global.bigfish.com'
)
docs: This check ensures that legacy MX records are not used with Microsoft 365.
remediation: Replace legacy MX records with correct Microsoft 365 MX records.
audit: Check your MX records for legacy Microsoft domains.
- uid: kopexa-dns-security-google-workspaces-mx-records
title: Ensure the correct MX records are used with Google Workspaces
resource: dns
severity: medium
query: |
resource.mx.filter(m, m.name.contains('l.google.com')).all(m,
m.name == 'aspmx.l.google.com' ||
m.name == 'alt1.aspmx.l.google.com' ||
m.name == 'alt2.aspmx.l.google.com' ||
m.name == 'alt3.aspmx.l.google.com' ||
m.name == 'alt4.aspmx.l.google.com'
)
docs: This check ensures that Google Workspace MX records are correctly configured.
remediation: Configure MX records to point to ASPMX.L.GOOGLE.COM and its alternates.
audit: Verify MX records match Google Workspace requirements.
- uid: kopexa-dns-security-dnssec-enabled
title: Ensure DNSSEC is enabled
resource: dns
severity: high
query: resource.records.exists(r, r.type == 'DNSKEY')
docs: This check ensures that DNSSEC is enabled.
remediation: Enable DNSSEC at your registrar.
audit: Run `dig DNSKEY <domain>` and verify records exist.
- uid: kopexa-dns-security-no-wildcard
title: Ensure no wildcard DNS records are configured
resource: dns
severity: medium
query: "!resource.records.exists(r, r.name.startsWith('*'))"
docs: This check ensures that no wildcard DNS records are configured.
remediation: Remove wildcard (*) A/CNAME records.
audit: Check your DNS zone for entries starting with *.