From e3c6a42a79491ba5a8de2e02aae5326797093671 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Mu=CC=88nch?= Date: Mon, 16 Dec 2024 17:40:13 +0100 Subject: [PATCH 01/12] add description for each dns check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- .github/actions/spelling/expect.txt | 3 + core/mondoo-dns-security.mql.yaml | 124 ++++++++++++++++++++++++---- 2 files changed, 111 insertions(+), 16 deletions(-) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index a3d2846a..3b01415b 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -43,11 +43,13 @@ crowdstrike ctl CUSTOMERID CYAAAAAAAKEY +Cybercriminals cyserver deactivateduser decomp dhe diffie +DNSKEY driveletter dss dumpable @@ -102,6 +104,7 @@ Lsass lsetxattr lsws marcellus +misrouting MLE moonbase mpim diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index 875a4c1c..aa9b0102 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-dns-security name: Mondoo DNS Security - version: 1.1.0 + version: 1.2.0 license: BUSL-1.1 tags: mondoo.com/category: security @@ -45,44 +45,136 @@ policies: - uid: mondoo-dns-security-no-cname-for-root-domain - uid: mondoo-dns-security-no-ip-for-ns-mx-records - uid: mondoo-dns-security-no-legacy-office-365-mx-records + - uid: mondoo-dns-security-dnssec-enabled + - uid: mondoo-dns-security-no-wildcard queries: - uid: mondoo-dns-security-no-cname-for-root-domain title: Ensure no CNAME is used for root domain + filters: domainName.fqdn == domainName.effectiveTLDPlusOne + impact: 60 mql: | - if (domainName.fqdn == domainName.effectiveTLDPlusOne) { - dns.records.where(type == "CNAME").length == 0 - } + dns.records.where(type == "CNAME") == empty + docs: + desc: | + This security check ensures that the root domain (often called the apex domain) does not have a CNAME (Canonical Name) record in its DNS settings. According to DNS standards, using CNAME records at the root domain is prohibited because it can lead to conflicts with other important DNS records, such as SOA (Start of Authority) and NS (Name Server) records. + + Implementing a CNAME at the root domain poses several risks, including: + + * DNS Resolution Issues: DNS servers may fail to resolve records properly, causing service interruptions. + * Compliance Violations: Most DNS providers enforce rules against the use of CNAMEs on root domains, and using them could result in non-compliance. + * Service Unavailability: Essential domain-related services, such as email or subdomains, may cease to function. + remediation: | + Use A or ALIAS records (if supported by your DNS provider) to point the root domain to the appropriate IP address or hostname while maintaining DNS compatibility and reducing the risk of resolution failures. - uid: mondoo-dns-security-no-ip-for-ns-mx-records title: Ensure NS and MX records are not pointing to IP addresses + impact: 75 mql: | - # check that MX records are not using IP addresses - dns.mx { - domainName != regex.ipv4 - domainName != regex.ipv6 - } - # check that ns records are no ip - dns.records.where(type == "NS") { - rdata { - _ != regex.ipv4 - _ != regex.ipv6 - } - } + dns.mx != empty + dns.mx.all(domainName != regex.ipv4 && domainName != regex.ipv6) + dns.records.where(type == "NS") !=empty + dns.records.where(type == "NS").all( rdata != regex.ipv4 && rdata != regex.ipv6 ) + docs: + desc: | + This security check ensures that DNS Name Server (NS) and Mail Exchange (MX) records do not point directly to IP addresses. According to DNS best practices and standards, NS and MX records should point to fully qualified domain names (FQDNs) rather than IP addresses. + + Risks of Using IP Addresses in NS and MX Records: + + * Lack of Flexibility: Pointing to an IP address directly ties your DNS or mail configuration to a specific server, making it difficult to manage changes, such as server migrations or load balancing. + * Potential Downtime: If the server IP address changes and DNS records are not updated promptly, services dependent on these records (e.g., email or domain resolution) may experience downtime. + * Non-compliance with DNS Standards: DNS resolvers expect NS and MX records to point to hostnames. Using IPs can lead to unpredictable behavior or DNS resolution failures. + * Security Risks: Directly exposing IP addresses can make your infrastructure more vulnerable to attacks, such as DDoS or reconnaissance efforts. + remediation: | + For NS records: Always configure them to point to the authoritative DNS server’s FQDN (e.g., ns1.example.com). + + For MX records: Always point them to a valid mail server’s FQDN (e.g., mail.example.com). - uid: mondoo-dns-security-no-legacy-office-365-mx-records title: Ensure legacy MX records are not used with Office 365 + impact: 80 mql: | dns.mx.all( domainName.downcase != "mail.outlook.com." ) dns.mx.all( domainName.downcase != "mail.messaging.microsoft.com." ) dns.mx.all( domainName.downcase != "mail.global.frontbridge.com." ) dns.mx.all( domainName.downcase != "mail.global.bigfish.com." ) + docs: + desc: | + This security check verifies that legacy MX records, often associated with previous email hosting providers or outdated configurations, are not being used in domains configured for Microsoft Office 365 email services. + + Why This Is Important: + + * Email Delivery Issues: Legacy MX records may cause email to be routed to incorrect or obsolete mail servers, resulting in failed or delayed email delivery. + * Security Risks: Misconfigured MX records can expose your email infrastructure to spoofing, phishing, or man-in-the-middle attacks if email traffic is directed to untrusted servers. + * Incompatibility with Office 365: Microsoft Office 365 requires specific MX record configurations (e.g., *.mail.protection.outlook.com) to properly route and secure email traffic. Using legacy MX records may prevent Office 365 features, such as spam filtering or encryption, from functioning correctly. + * Administrative Overhead: Retaining legacy MX records increases complexity and the potential for mismanagement during troubleshooting or migrations. + remediation: | + Replace all legacy MX records with the correct Office 365 MX records provided in the Microsoft 365 Admin Center. Regularly audit DNS settings to ensure all MX records align with Office 365 requirements. refs: - url: https://techcommunity.microsoft.com/t5/exchange-team-blog/best-practices-for-using-assigned-office-365-dns-records/ba-p/607907 title: Best practices for using assigned Office 365 DNS records - uid: mondoo-dns-security-google-workspaces-mx-records title: Ensure the correct MX records are used with Google Workspaces + impact: 80 mql: |- dns.mx.where(domainName == /l.google.com/). map(domainName.downcase). containsOnly(["aspmx.l.google.com.", "alt1.aspmx.l.google.com.", "alt2.aspmx.l.google.com.", "alt3.aspmx.l.google.com.", "alt4.aspmx.l.google.com."]) + docs: + desc: | + This security check verifies that the domain’s MX (Mail Exchange) records are correctly configured to use the Google Workspace (formerly G Suite) email servers. Proper configuration ensures reliable email delivery and leverages Google’s advanced email security and management features. + + Why This Is Important: + + * Reliable Email Delivery: Incorrect or missing MX records can result in undelivered emails, affecting business communication. + * Security Risks: Using incorrect MX records may route emails through untrusted servers, exposing the organization to spoofing, phishing, or data interception attacks. + * Google Workspace Functionality: Google Workspace requires specific MX records to activate its full suite of email features, including spam protection, encryption, and account-based email management. + * Compliance and Best Practices: Adhering to Google Workspace’s DNS configuration guidelines ensures compatibility and minimizes the risk of service disruptions. + remediation: | + Ensure the domain’s MX records point to Google’s designated email servers: + * ASPMX.L.GOOGLE.COM + * ALT1.ASPMX.L.GOOGLE.COM + * ALT2.ASPMX.L.GOOGLE.COM + * ALT3.ASPMX.L.GOOGLE.COM + * ALT4.ASPMX.L.GOOGLE.COM + + Verify that each record is configured with the correct priority as recommended by Google. Remove any legacy or non-Google MX records to prevent misrouting or security vulnerabilities. refs: - url: https://support.google.com/a/answer/140034?hl=en title: Set up MX records for Google Workspace email + - uid: mondoo-dns-security-dnssec-enabled + title: Ensure DNSSEC is Enabled + impact: 75 + mql: |- + dns.records.where(type == "DNSKEY") != empty + dns.records.where(type == "DNSKEY").all(name.contains(domainName.fqdn)) + docs: + desc: | + This security check ensures that DNSSEC (Domain Name System Security Extensions) is enabled for your domain. DNSSEC is a critical security feature that provides authentication for DNS responses, protecting against common threats such as DNS spoofing, cache poisoning, and man-in-the-middle attacks. + + Why This Is Important: + + * Prevents DNS Spoofing: Without DNSSEC, attackers can forge DNS responses, redirecting users to malicious websites or intercepting sensitive data. + * Protects Data Integrity: DNSSEC digitally signs DNS records to ensure the data returned in a DNS query has not been altered or tampered with during transit. + * Builds Trust: By enabling DNSSEC, organizations can enhance trust in their domain by ensuring users reliably connect to legitimate services. + * Compliance and Standards: Many security frameworks and compliance standards recommend or require DNSSEC implementation as a best practice for domain security. + remediation: | + * Enable DNSSEC for your domain through your DNS hosting provider or domain registrar. + * Regularly monitor DNSSEC configurations to ensure the validity of DNSSEC signatures and prevent expiration issues. + * Test DNSSEC implementation using tools or online validators to confirm proper configuration. + - uid: mondoo-dns-security-no-wildcard + title: Ensure No Wildcard DNS Records Are Configured + impact: 85 + mql: |- + dns.records.none(name == /\*/) + docs: + desc: | + This security check verifies that no wildcard DNS records (e.g., *.example.com) are configured for your domain. Wildcard DNS records allow all subdomains, including those not explicitly defined, to resolve to a specified IP address or hostname. + + Why This Is Important: + + * Increased Attack Surface: Wildcard DNS records can unintentionally expose your domain to abuse, enabling attackers to create arbitrary subdomains (e.g., phishing.example.com) for malicious purposes. + * Phishing and Malware Risks: Cybercriminals may exploit wildcard DNS records to impersonate legitimate subdomains and host phishing websites or distribute malware. + * Uncontrolled Traffic Routing: Wildcards can cause unexpected behavior by routing traffic for undefined subdomains to unintended or insecure locations. + * Compliance Issues: Many security standards discourage the use of wildcard DNS records due to the difficulty in managing and securing them effectively. + remediation: | + * Remove wildcard DNS records (*.example.com) unless explicitly required for specific use cases. + * Use explicit DNS records for subdomains to maintain control over domain resolution. + * Regularly audit DNS configurations to identify and eliminate unintended wildcard records. From 12c0f85c8d27cd0cc44c8a7aa0fac498ec1a178e Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 09:43:35 -0800 Subject: [PATCH 02/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index aa9b0102..cf18fbb6 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -60,9 +60,9 @@ queries: Implementing a CNAME at the root domain poses several risks, including: - * DNS Resolution Issues: DNS servers may fail to resolve records properly, causing service interruptions. - * Compliance Violations: Most DNS providers enforce rules against the use of CNAMEs on root domains, and using them could result in non-compliance. - * Service Unavailability: Essential domain-related services, such as email or subdomains, may cease to function. + * DNS resolution issues: DNS servers can fail to resolve records properly, causing service interruptions. + * Compliance violations: Most DNS providers enforce rules against the use of CNAMEs on root domains. Using them can result in non-compliance. + * Service unavailability: Essential domain-related services, such as email or subdomains, can cease to function. remediation: | Use A or ALIAS records (if supported by your DNS provider) to point the root domain to the appropriate IP address or hostname while maintaining DNS compatibility and reducing the risk of resolution failures. - uid: mondoo-dns-security-no-ip-for-ns-mx-records From d8bdb18b9e22ca7f7a0857a247daa1272eab398f Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:01:26 -0800 Subject: [PATCH 03/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index cf18fbb6..a68099e4 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -168,12 +168,12 @@ queries: desc: | This security check verifies that no wildcard DNS records (e.g., *.example.com) are configured for your domain. Wildcard DNS records allow all subdomains, including those not explicitly defined, to resolve to a specified IP address or hostname. - Why This Is Important: + Why this is important: - * Increased Attack Surface: Wildcard DNS records can unintentionally expose your domain to abuse, enabling attackers to create arbitrary subdomains (e.g., phishing.example.com) for malicious purposes. - * Phishing and Malware Risks: Cybercriminals may exploit wildcard DNS records to impersonate legitimate subdomains and host phishing websites or distribute malware. - * Uncontrolled Traffic Routing: Wildcards can cause unexpected behavior by routing traffic for undefined subdomains to unintended or insecure locations. - * Compliance Issues: Many security standards discourage the use of wildcard DNS records due to the difficulty in managing and securing them effectively. + * Increased attack surface: Wildcard DNS records can unintentionally expose your domain to abuse. Attackers can create arbitrary subdomains (e.g., phishing.example.com) for malicious purposes. + * Phishing and malware risks: Cybercriminals can exploit wildcard DNS records to impersonate legitimate subdomains, host phishing websites, or distribute malware. + * Uncontrolled traffic routing: Wildcards can cause unexpected behavior by routing traffic for undefined subdomains to unintended or insecure locations. + * Compliance issues: Many security standards discourage the use of wildcard DNS records due to the difficulty in managing and securing them effectively. remediation: | * Remove wildcard DNS records (*.example.com) unless explicitly required for specific use cases. * Use explicit DNS records for subdomains to maintain control over domain resolution. From 0a9282e2da9d2e77c05fe2f559557ad1b2e40461 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:01:33 -0800 Subject: [PATCH 04/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index a68099e4..2d8df2e1 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -160,7 +160,7 @@ queries: * Regularly monitor DNSSEC configurations to ensure the validity of DNSSEC signatures and prevent expiration issues. * Test DNSSEC implementation using tools or online validators to confirm proper configuration. - uid: mondoo-dns-security-no-wildcard - title: Ensure No Wildcard DNS Records Are Configured + title: Ensure no wildcard DNS records are configured impact: 85 mql: |- dns.records.none(name == /\*/) From ce089e7990c192c96b1d5a3805dd6eba7e19dbe1 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:01:40 -0800 Subject: [PATCH 05/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index 2d8df2e1..c84c1786 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -77,7 +77,7 @@ queries: desc: | This security check ensures that DNS Name Server (NS) and Mail Exchange (MX) records do not point directly to IP addresses. According to DNS best practices and standards, NS and MX records should point to fully qualified domain names (FQDNs) rather than IP addresses. - Risks of Using IP Addresses in NS and MX Records: + Risks of using IP addresses in NS and MX records include: * Lack of Flexibility: Pointing to an IP address directly ties your DNS or mail configuration to a specific server, making it difficult to manage changes, such as server migrations or load balancing. * Potential Downtime: If the server IP address changes and DNS records are not updated promptly, services dependent on these records (e.g., email or domain resolution) may experience downtime. From 6c96e583ce8eb14e776a903ca360caa637de21fc Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:01:49 -0800 Subject: [PATCH 06/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index c84c1786..331185e2 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -79,10 +79,10 @@ queries: Risks of using IP addresses in NS and MX records include: - * Lack of Flexibility: Pointing to an IP address directly ties your DNS or mail configuration to a specific server, making it difficult to manage changes, such as server migrations or load balancing. - * Potential Downtime: If the server IP address changes and DNS records are not updated promptly, services dependent on these records (e.g., email or domain resolution) may experience downtime. - * Non-compliance with DNS Standards: DNS resolvers expect NS and MX records to point to hostnames. Using IPs can lead to unpredictable behavior or DNS resolution failures. - * Security Risks: Directly exposing IP addresses can make your infrastructure more vulnerable to attacks, such as DDoS or reconnaissance efforts. + * Lack of flexibility: Pointing to an IP address directly ties your DNS or mail configuration to a specific server. This makes it difficult to manage changes, such as server migrations or load balancing. + * Potential downtime: If the server IP address changes and DNS records are not updated promptly, services dependent on these records (e.g., email or domain resolution) can experience downtime. + * Non-compliance with DNS standards: DNS resolvers expect NS and MX records to point to hostnames. Using IPs can lead to unpredictable behavior or DNS resolution failures. + * Security risks: Directly exposing IP addresses can make your infrastructure more vulnerable to attacks, such as DDoS or reconnaissance efforts. remediation: | For NS records: Always configure them to point to the authoritative DNS server’s FQDN (e.g., ns1.example.com). From ce786934cc9442aa84abae8d603dac2523e5e70c Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:01:55 -0800 Subject: [PATCH 07/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index 331185e2..66c92a51 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -97,9 +97,9 @@ queries: dns.mx.all( domainName.downcase != "mail.global.bigfish.com." ) docs: desc: | - This security check verifies that legacy MX records, often associated with previous email hosting providers or outdated configurations, are not being used in domains configured for Microsoft Office 365 email services. + This security check verifies that legacy MX records, often associated with previous email hosting providers or outdated configurations, are not used in domains configured for Microsoft Office 365 email services. - Why This Is Important: + Why this is important: * Email Delivery Issues: Legacy MX records may cause email to be routed to incorrect or obsolete mail servers, resulting in failed or delayed email delivery. * Security Risks: Misconfigured MX records can expose your email infrastructure to spoofing, phishing, or man-in-the-middle attacks if email traffic is directed to untrusted servers. From 487d0dc52bdb6aae5bd34199e75971f06b7abd4c Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:02:08 -0800 Subject: [PATCH 08/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index 66c92a51..1ee53559 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -101,10 +101,10 @@ queries: Why this is important: - * Email Delivery Issues: Legacy MX records may cause email to be routed to incorrect or obsolete mail servers, resulting in failed or delayed email delivery. - * Security Risks: Misconfigured MX records can expose your email infrastructure to spoofing, phishing, or man-in-the-middle attacks if email traffic is directed to untrusted servers. - * Incompatibility with Office 365: Microsoft Office 365 requires specific MX record configurations (e.g., *.mail.protection.outlook.com) to properly route and secure email traffic. Using legacy MX records may prevent Office 365 features, such as spam filtering or encryption, from functioning correctly. - * Administrative Overhead: Retaining legacy MX records increases complexity and the potential for mismanagement during troubleshooting or migrations. + * Email delivery issues: Legacy MX records can cause email to be routed to incorrect or obsolete mail servers, resulting in failed or delayed email delivery. + * Security risks: Misconfigured MX records can expose your email infrastructure to spoofing, phishing, or man-in-the-middle attacks if email traffic is directed to untrusted servers. + * Incompatibility with Office 365: Microsoft Office 365 requires specific MX record configurations (e.g., *.mail.protection.outlook.com) to properly route and secure email traffic. Using legacy MX records can prevent Office 365 features, such as spam filtering or encryption, from functioning correctly. + * Administrative overhead: Retaining legacy MX records increases complexity and the potential for mismanagement during troubleshooting or migrations. remediation: | Replace all legacy MX records with the correct Office 365 MX records provided in the Microsoft 365 Admin Center. Regularly audit DNS settings to ensure all MX records align with Office 365 requirements. refs: From b9ddf001e4bc72c5a3084145118da09430279613 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:02:21 -0800 Subject: [PATCH 09/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index 1ee53559..0e693285 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -121,12 +121,12 @@ queries: desc: | This security check verifies that the domain’s MX (Mail Exchange) records are correctly configured to use the Google Workspace (formerly G Suite) email servers. Proper configuration ensures reliable email delivery and leverages Google’s advanced email security and management features. - Why This Is Important: + Why this is important: - * Reliable Email Delivery: Incorrect or missing MX records can result in undelivered emails, affecting business communication. - * Security Risks: Using incorrect MX records may route emails through untrusted servers, exposing the organization to spoofing, phishing, or data interception attacks. - * Google Workspace Functionality: Google Workspace requires specific MX records to activate its full suite of email features, including spam protection, encryption, and account-based email management. - * Compliance and Best Practices: Adhering to Google Workspace’s DNS configuration guidelines ensures compatibility and minimizes the risk of service disruptions. + * Reliable email delivery: Incorrect or missing MX records can result in undelivered email. + * Security risks: Using incorrect MX records can route email through untrusted servers, exposing the organization to spoofing, phishing, or data interception attacks. + * Google Workspace functionality: Google Workspace requires specific MX records to activate its full suite of email features, including spam protection, encryption, and account-based email management. + * Compliance and best practices: Adhering to Google Workspace’s DNS configuration guidelines ensures compatibility and minimizes the risk of service disruptions. remediation: | Ensure the domain’s MX records point to Google’s designated email servers: * ASPMX.L.GOOGLE.COM From fdd4ed1369f4a618c59381b92949bdcee322f27d Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:02:30 -0800 Subject: [PATCH 10/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index 0e693285..7ae0c4cd 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -140,7 +140,7 @@ queries: - url: https://support.google.com/a/answer/140034?hl=en title: Set up MX records for Google Workspace email - uid: mondoo-dns-security-dnssec-enabled - title: Ensure DNSSEC is Enabled + title: Ensure DNSSEC is enabled impact: 75 mql: |- dns.records.where(type == "DNSKEY") != empty From e0a9afb92bd802153e3955131d3b237115f80aff Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:02:37 -0800 Subject: [PATCH 11/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index 7ae0c4cd..673a3bf5 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -147,7 +147,7 @@ queries: dns.records.where(type == "DNSKEY").all(name.contains(domainName.fqdn)) docs: desc: | - This security check ensures that DNSSEC (Domain Name System Security Extensions) is enabled for your domain. DNSSEC is a critical security feature that provides authentication for DNS responses, protecting against common threats such as DNS spoofing, cache poisoning, and man-in-the-middle attacks. + This security check ensures that DNSSEC (Domain Name System Security Extensions) is enabled for your domain. DNSSEC is a critical security feature that provides authentication for DNS responses. It protects against common threats such as DNS spoofing, cache poisoning, and man-in-the-middle attacks. Why This Is Important: From aad9039bd4f6346735b90a307ca79f445f18c509 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 16 Dec 2024 10:02:45 -0800 Subject: [PATCH 12/12] Update core/mondoo-dns-security.mql.yaml Co-authored-by: Letha Signed-off-by: Tim Smith --- core/mondoo-dns-security.mql.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index 673a3bf5..0b038ab8 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -149,12 +149,12 @@ queries: desc: | This security check ensures that DNSSEC (Domain Name System Security Extensions) is enabled for your domain. DNSSEC is a critical security feature that provides authentication for DNS responses. It protects against common threats such as DNS spoofing, cache poisoning, and man-in-the-middle attacks. - Why This Is Important: + Why this is important: - * Prevents DNS Spoofing: Without DNSSEC, attackers can forge DNS responses, redirecting users to malicious websites or intercepting sensitive data. - * Protects Data Integrity: DNSSEC digitally signs DNS records to ensure the data returned in a DNS query has not been altered or tampered with during transit. - * Builds Trust: By enabling DNSSEC, organizations can enhance trust in their domain by ensuring users reliably connect to legitimate services. - * Compliance and Standards: Many security frameworks and compliance standards recommend or require DNSSEC implementation as a best practice for domain security. + * Prevents DNS spoofing: Without DNSSEC, attackers can forge DNS responses. This lets them redirect users to malicious websites or intercept sensitive data. + * Protects data integrity: DNSSEC digitally signs DNS records to ensure the data returned in a DNS query has not been altered or tampered with during transit. + * Builds trust: By enabling DNSSEC, organizations can enhance trust in their domain by ensuring users reliably connect to legitimate services. + * Compliance and standards: Many security frameworks and compliance standards recommend or require DNSSEC implementation as a best practice for domain security. remediation: | * Enable DNSSEC for your domain through your DNS hosting provider or domain registrar. * Regularly monitor DNSSEC configurations to ensure the validity of DNSSEC signatures and prevent expiration issues.