DNS Security
Secure DNS resolution to prevent hijacking and exfiltration.
7 of 9 frameworks cover this control
Framework Mappings
How DNS Security maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.IR-01 |
| ISO 27001 | Covered | A.8.20 |
| CIS v8 | Covered | CIS 9.2 |
| SOC 2 | Covered | CC6.6 |
| PCI DSS | Covered | 1.2.1 |
| CMMC | Covered | SC.L2-3.13.1 |
| 800-53 | Covered | SC-7 SC-20 SC-21 SC-22 |
| HIPAA | Not Covered | — |
| GDPR | Not Covered | — |
About DNS Security
DNS Security is a cybersecurity control in the Protect domain. Secure DNS resolution to prevent hijacking and exfiltration. DNS security controls protect the Domain Name System from attacks such as DNS hijacking, cache poisoning, tunneling-based data exfiltration, and domain spoofing. Organizations should implement DNS filtering to block access to known malicious domains, deploy DNSSEC to validate DNS response integrity, use encrypted DNS protocols (DoH or DoT), and monitor DNS query logs for anomalous patterns that may indicate command-and-control communication or data exfiltration. Protective DNS services can serve as a cost-effective first line of defense that blocks threats before connections are established.
This control is recognized by 7 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53. It is not covered by HIPAA, GDPR, representing a potential gap for organizations relying solely on those frameworks.