Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Last updated: 04 July 2026 00:28 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (7)

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-347Improper Verification of Cryptographic Signature842Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.
CWE-345Insufficient Verification of Data Authenticity699Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.
CWE-290Authentication Bypass by Spoofing698Directly counters DNS response spoofing by requiring cryptographic origin authentication before trusting resolved names/addresses.
CWE-346Origin Validation Error661Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.
CWE-354Improper Validation of Integrity Check Value194Requires validation of integrity check values on every resolution response, directly mitigating tampered or corrupted DNS data.
CWE-348Use of Less Trusted Source54Prevents use of less-trusted or adversarial sources by requiring proof of origin and integrity before accepting responses.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-710587.09.10.0045good
CVE-2025-301327.09.10.0034good
CVE-2026-422555.57.20.0021good
CVE-2025-590235.58.20.0027good
CVE-2023-503878.07.51.0000good
CVE-2023-508688.07.50.8173good
CVE-2022-34886.07.50.1905partial
CVE-2023-538755.58.80.0037partial
CVE-2026-326345.58.10.0028good
CVE-2025-301405.57.50.0033good
CVE-2026-1519 UPD5.57.50.0155good
CVE-2026-410555.58.60.0038good
CVE-2026-3104 UPD5.57.50.0070partial
CVE-2026-44375.57.50.0029partial
CVE-2025-619395.58.80.0024good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9