-
Notifications
You must be signed in to change notification settings - Fork 17
/
mondoo-dns-security.mql.yaml
90 lines (79 loc) · 3.25 KB
/
mondoo-dns-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-dns-security
name: Mondoo DNS Security
version: 1.1.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: host
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
## Overview
The Mondoo DNS Security policy includes checks for assessing the configuration of DNS records.
## Remote scan
Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
For a complete list of providers run:
```bash
cnspec scan --help
```
### Scan a host
```bash
cnspec scan host <hostname>
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Networking
filters: asset.family.contains('network')
checks:
- uid: mondoo-dns-security-google-workspaces-mx-records
- uid: mondoo-dns-security-no-cname-for-root-domain
- uid: mondoo-dns-security-no-ip-for-ns-mx-records
- uid: mondoo-dns-security-no-legacy-office-365-mx-records
queries:
- uid: mondoo-dns-security-no-cname-for-root-domain
title: Ensure no CNAME is used for root domain
mql: |
if (domainName.fqdn == domainName.effectiveTLDPlusOne) {
dns.records.where(type == "CNAME").length == 0
}
- uid: mondoo-dns-security-no-ip-for-ns-mx-records
title: Ensure NS and MX records are not pointing to IP addresses
mql: |
# check that MX records are not using IP addresses
dns.mx {
domainName != regex.ipv4
domainName != regex.ipv6
}
# check that ns records are no ip
dns.records.where(type == "NS") {
rdata {
_ != regex.ipv4
_ != regex.ipv6
}
}
- uid: mondoo-dns-security-no-legacy-office-365-mx-records
title: Ensure legacy MX records are not used with Office 365
mql: |
dns.mx.all( domainName.downcase != "mail.outlook.com." )
dns.mx.all( domainName.downcase != "mail.messaging.microsoft.com." )
dns.mx.all( domainName.downcase != "mail.global.frontbridge.com." )
dns.mx.all( domainName.downcase != "mail.global.bigfish.com." )
refs:
- url: https://techcommunity.microsoft.com/t5/exchange-team-blog/best-practices-for-using-assigned-office-365-dns-records/ba-p/607907
title: Best practices for using assigned Office 365 DNS records
- uid: mondoo-dns-security-google-workspaces-mx-records
title: Ensure the correct MX records are used with Google Workspaces
mql: |-
dns.mx.where(domainName == /l.google.com/).
map(domainName.downcase).
containsOnly(["aspmx.l.google.com.", "alt1.aspmx.l.google.com.", "alt2.aspmx.l.google.com.", "alt3.aspmx.l.google.com.", "alt4.aspmx.l.google.com."])
refs:
- url: https://support.google.com/a/answer/140034?hl=en
title: Set up MX records for Google Workspace email