Ensure that DNSSEC security feature is enabled for all your Google Cloud DNS managed zones in order to protect your domains against spoofing and cache poisoning attacks. By default, DNSSEC is not enabled for Google Cloud public DNS managed zones.
This rule resolution is part of the Conformity Security & Compliance tool for GCP.
Domain Name System Security Extensions (DNSSEC) represents a set of protocols that adds a layer of security to the Domain Name System (DNS) lookup and exchange processes by enabling DNS responses to be validated. Having a trustworthy Domain Name System (DNS) that translates a domain name into its associated IP address is extremely important for web security nowadays. Attackers can hijack the process of domain/IP lookup and redirect users to malicious web content through DNS hijacking and Man-In-The-Middle (MITM) attacks. DNSSEC security feature helps mitigate the risk of such attacks by encrypting signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect web clients to fake, fraudulent or scam websites.
Audit
To determine if DNSSEC is enabled for all your Domain Name System (DNS) managed zones, perform the following actions:
Remediation / Resolution
To enable the DNSSEC security feature for all your public Google Cloud DNS managed zones, perform the following operations:
References
- Google Cloud Platform (GCP) Documentation
- Cloud DNS overview
- DNS Security Extensions (DNSSEC) overview
- Manage DNSSEC configuration
- DNSSEC now available in Cloud DNS
- CIS Security Documentation
- Securing Google Cloud Computing Platform
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud dns managed-zones list
- gcloud dns managed-zones describe
- gcloud dns managed-zones update
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable DNSSEC for Google Cloud DNS Zones
Risk Level: Medium