STIGQter: STIG Summary: Infoblox 7.x DNS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.

DISA Rule

SV-214161r612370_rule

Vulnerability Number

V-214161

Group Title

SRG-APP-000001-DNS-000115

Rule Version

IDNS-7X-000030

Severity

CAT II

CCI(s)

CCI-000054 - The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.

Weight

Fix Recommendation

Infoblox Systems can be configured in two ways to limit DDNS client updates.

For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled.
Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG.
Configure the option "Enable GSS-TSIG authentication of clients".
Upload the required keys.
Refer to the Administration Guide for detailed instructions.

For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled.
Select each server, click "Edit".
Select the Updates tab.
Select either an existing Named ACL or configure a new Set of ACEs to limit client DDNS.
When complete, click "Save & Close" to save the changes and exit the "Properties" screen.

Perform a service restart if necessary.

Check Contents

Infoblox Systems can be configured in two ways to limit DDNS client updates.

For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled. Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG.
Verify that "Enable GSS-TSIG authentication of clients" is enabled.

For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled.
Select each server, click "Edit".
Select the "Updates" tab.
Verify that either a Named ACL or Set of ACEs are defined to limit client DDNS.
When complete, click "Cancel" to exit the "Properties" screen.

If "Enable GSS-TSIG authentication of clients" is disabled for clients supporting GSS-TSIG or a Named ACL or Set of ACEs are not defined to limit DDNS for clients without GSS-TSIG support, this is a finding.

Vulnerability Number

V-214161

Documentable

False

Rule Version

IDNS-7X-000030

Severity Override Guidance

Infoblox Systems can be configured in two ways to limit DDNS client updates.

For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled. Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG.
Verify that "Enable GSS-TSIG authentication of clients" is enabled.

For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled.
Select each server, click "Edit".
Select the "Updates" tab.
Verify that either a Named ACL or Set of ACEs are defined to limit client DDNS.
When complete, click "Cancel" to exit the "Properties" screen.

If "Enable GSS-TSIG authentication of clients" is disabled for clients supporting GSS-TSIG or a Named ACL or Set of ACEs are not defined to limit DDNS for clients without GSS-TSIG support, this is a finding.

Check Content Reference

Target Key

3995

The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments