CIS Control 4.9: Configure Trusted DNS Servers on Enterprise Assets
DNS misconfigurations expose your organization to domain hijacking, DNS spoofing, and malware distribution attacks. CIS Control 4.9 requires enterprises to explicitly configure trusted DNS servers—whether enterprise-controlled or reputable external providers—to prevent attackers from intercepting or poisoning name resolution. This control is foundational to network security and a critical step in demonstrating compliance maturity.
What this means
Configure Trusted DNS Servers on Enterprise Assets requires your organization to explicitly define and enforce which DNS servers all enterprise-managed devices use for domain name resolution. This means either deploying and maintaining your own DNS infrastructure or selecting reputable, externally-managed DNS providers. By controlling DNS resolution at the network and endpoint level, you prevent attackers from exploiting default or insecure DNS configurations to redirect users to malicious sites or intercept sensitive communications.
How to comply
- 1.Identify all enterprise assets (workstations, servers, IoT devices, mobile devices) that perform DNS lookups
- 2.Select trusted DNS servers: either enterprise-controlled DNS servers you operate or established external providers with strong security track records
- 3.Configure DNS settings at the network level (DHCP, firewalls, routers) to assign trusted DNS servers to all devices
- 4.Configure endpoint-level DNS settings to override defaults and point to approved DNS servers
- 5.Document your DNS server selection criteria and the list of approved DNS servers
- 6.Implement monitoring and alerting to detect when devices use unauthorized DNS servers
- 7.Regularly audit DNS configurations across all assets to ensure compliance
- 8.Test DNS resolution to verify that only trusted servers are being used
Evidence auditors look for
- DHCP configuration files showing enterprise-controlled DNS server assignments
- DNS server IP addresses documented in your approved DNS server list
- Device configuration screenshots showing DNS settings pointing to approved servers
- Network monitoring logs confirming DNS queries are routed through trusted servers only
- Firewall rules blocking unauthorized DNS traffic on non-standard ports
- Router and network device configurations enforcing DNS server assignments
- Endpoint management policies (GPO, MDM) that lock DNS settings to approved values
- Audit reports showing 100% of devices using approved DNS servers
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically maps DNS server configurations across your entire asset inventory and alerts you when devices drift from approved DNS settings, eliminating manual auditing and ensuring continuous CIS 4.9 compliance.
See how GRCWatch handles this control automatically
Start free trial