STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.

DISA Rule

SV-233856r621666_rule

Vulnerability Number

V-233856

Group Title

SRG-APP-000001-DNS-000115

Rule Version

IDNS-8X-100002

Severity

CAT II

CCI(s)

• CCI-000054 - The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.

Weight

10

Fix Recommendation

Infoblox can be configured in two ways to limit DDNS client updates. Refer to the Administrator Guide for detailed instructions if necessary.

1. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members tab.
a. Review each server with the DNS service enabled. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG.
b. Configure the option "Enable GSS-TSIG authentication of clients".
c. Upload the required keys.

2. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members tab.
a. Review each server with the DNS service enabled.
b. Select each server and click "Edit".
c. Select the "Updates" tab. Enable an existing Named ACL or configure a new set of ACEs to limit client DDNS.

3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.

4. Perform a service restart if necessary.

Check Contents

Infoblox can be configured in two ways to limit DDNS client updates.

1. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members tab.
a. Review each server with the DNS service enabled.
b. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG.
c. Verify that "Enable GSS-TSIG authentication of clients" is enabled.

2. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members tab.
a. Review each server with the DNS service enabled. Select each server and click "Edit".
b. Select the "Updates" tab. Verify that either a Named ACL or Set of ACEs are defined to limit client DDNS.

3. When complete, click "Cancel" to exit the "Properties" screen.

If "Enable GSS-TSIG authentication of clients" is disabled for clients supporting GSS-TSIG, or a Named ACL or Set of ACEs is not defined to limit DDNS for clients without GSS-TSIG support, this is a finding.

Vulnerability Number

V-233856

Documentable

False

Rule Version

IDNS-8X-100002

Severity Override Guidance

Infoblox can be configured in two ways to limit DDNS client updates.

1. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members tab.
a. Review each server with the DNS service enabled.
b. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG.
c. Verify that "Enable GSS-TSIG authentication of clients" is enabled.

2. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members tab.
a. Review each server with the DNS service enabled. Select each server and click "Edit".
b. Select the "Updates" tab. Verify that either a Named ACL or Set of ACEs are defined to limit client DDNS.

3. When complete, click "Cancel" to exit the "Properties" screen.

If "Enable GSS-TSIG authentication of clients" is disabled for clients supporting GSS-TSIG, or a Named ACL or Set of ACEs is not defined to limit DDNS for clients without GSS-TSIG support, this is a finding.

Check Content Reference

M

Target Key

5251

Comments