STIGQter: STIG Summary: Infoblox 7.x DNS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

DISA Rule

SV-214172r612370_rule

Vulnerability Number

V-214172

Group Title

SRG-APP-000215-DNS-000026

Rule Version

IDNS-7X-000250

Severity

CAT II

CCI(s)

• CCI-001663 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

Weight

10

Fix Recommendation

Authoritative Fix: Navigate to Data Management >> DNS >> Zones.

Select the appropriate zone using the check box, then use the "DNSSEC" drop-down menu and select "Sign Zones".
Follow prompt to acknowledge zone signing.

Recursive Fix: Navigate to Data Management >> DNS >> Zones.

Edit "Grid DNS Properties", toggle Advanced Mode, and select the "DNSSEC" tab.
Enable both "Enable DNSSEC" and "Enable DNSSEC Validation" options.
When complete, click "Save & Close" to save the changes and exit the "Properties" screen.

Perform a service restart if necessary.

Check Contents

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Authoritative Check: Navigate to Data Management >> DNS >> Zones.

Ensure external authoritative zones are DNSSEC signed.

Recursive Check: Navigate to Data Management >> DNS >> Zones.

Note: DNSSEC validation is only applicable on a grid member where recursion is active.

Edit "Grid DNS Properties", toggle Advanced Mode, and select the DNSSEC tab.
Validate that both "Enable DNSSEC" and "Enable DNSSEC Validation" are enabled.
When complete, click "Cancel" to exit the "Properties" screen.

If DNSSEC is not utilized for authoritative DNS and recursive clients this is a finding.

Note: To add "Signed" column, select an existing column, select the down arrow, select "Columns", select "Edit Columns", select the check box for "Visible" and select "Apply".

Vulnerability Number

V-214172

Documentable

False

Rule Version

IDNS-7X-000250

Severity Override Guidance

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Authoritative Check: Navigate to Data Management >> DNS >> Zones.

Ensure external authoritative zones are DNSSEC signed.

Recursive Check: Navigate to Data Management >> DNS >> Zones.

Note: DNSSEC validation is only applicable on a grid member where recursion is active.

Edit "Grid DNS Properties", toggle Advanced Mode, and select the DNSSEC tab.
Validate that both "Enable DNSSEC" and "Enable DNSSEC Validation" are enabled.
When complete, click "Cancel" to exit the "Properties" screen.

If DNSSEC is not utilized for authoritative DNS and recursive clients this is a finding.

Note: To add "Signed" column, select an existing column, select the down arrow, select "Columns", select "Edit Columns", select the check box for "Visible" and select "Apply".

Check Content Reference

M

Target Key

3995

Comments