MEDIUM
Source
Trivy/CSPM
CSPM ID
dns-security-enabled
ID
AVD-GCP-0013

Cloud DNS should use DNSSEC

DNSSEC authenticates DNS responses, preventing MITM attacks and impersonation.

Impact

Unverified DNS responses could lead to man-in-the-middle attacks

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the Google Cloud Platform Console.

  2. Scroll down the left navigation panel and choose the “Network Services” option under the “NETWORKING” and select the “Cloud DNS.” Step

  3. On the “Cloud DNS” page, select the “Zone name” which needs to be checked for the “DNS Security.”Step

  4. On the selected “Zone” check the “DNSSEC” is showing “Off” or “ON”. If it’s turned off then it cannot authenticates all responses to domain name lookups.Step

  5. Repeat steps number 2 - 4 to check other DNS in the account.

  6. Navigate to the “Load balancing” option under the “Netowrk Services” of the “NETWORKING”, choose the “Cloud DNS” option and select the “DNS”.Step

  7. On the “Cloud DNS” place, select the “Zone” and click on the dropdown menu below the “DNSSEC.”Step

  8. On the selected “Cloud DNS”, select the “ON” from the dropdown menu of “DNSSEC.”Step

  9. On the “Enabling DNSSEC” tab, click on the “Enable” button to make the changes.Step

  10. Repeat steps number 6 - 9 to ensure “DNSSEC” is enabled for all managed zones in the cloud DNS service.

Enable DNSSEC

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
 resource "google_dns_managed_zone" "good_example" {
   name        = "example-zone"
   dns_name    = "example-${random_id.rnd.hex}.com."
   description = "Example DNS zone"
   labels = {
     foo = "bar"
   }
   dnssec_config {
     state = "on"
   }
 }
 
 resource "random_id" "rnd" {
   byte_length = 4
 }