STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox DNS server must send outgoing DNS messages from a random port.

DISA Rule

SV-233878r621666_rule

Vulnerability Number

V-233878

Group Title

SRG-APP-000516-DNS-000110

Rule Version

IDNS-8X-400020

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

1. Navigate to Data Management >> DNS >> Grid DNS Properties, or System DNS properties on a stand-alone system.
2. Toggle Advanced Mode and select General >> Advanced tab. Disable "Set static source UDP port for queries (not recommended)" and "Set static source UDP port for notify messages".
3. Navigate to Data Management >> DNS >> Members tab.
4. Review each Infoblox member with the DNS service enabled.
5. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab.
6. Locate the section labeled "Source port settings" and click "Override" to use the Grid default values that disable static source ports.
7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
8. Perform a service restart if necessary.

Check Contents

Verify the default Infoblox configuration to use random ports is not overridden at either the global or member level.

Global-Level check:
1. Navigate to Data Management >> DNS Edit Grid DNS Properties, or System DNS Properties on a stand-alone system.
2. Toggle Advanced Mode and select the General >> Advanced tab.
3. Verify that the options under "Source Port Settings", "Set static source UDP port for queries (not recommended)", and "Set static source UDP port for notify messages" use the default value of "not enabled".
4. When complete, click "Cancel" to exit the "Properties" screen.

Member-Level check:
1. Navigate to Data Management >> DNS >> Members tab.
2. Review each server with the DNS service enabled.
3. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab.
4. Verify that the options under "Source Port Settings", "Set static source UDP port for queries (not recommended)", and "Set static source UDP port for notify messages" use the default value of "not enabled".
5. When complete, click "Cancel" to exit the "Properties" screen.

If configuration of either of these values exists, this is a finding.

Vulnerability Number

V-233878

Documentable

False

Rule Version

IDNS-8X-400020

Severity Override Guidance

Verify the default Infoblox configuration to use random ports is not overridden at either the global or member level.

Global-Level check:
1. Navigate to Data Management >> DNS Edit Grid DNS Properties, or System DNS Properties on a stand-alone system.
2. Toggle Advanced Mode and select the General >> Advanced tab.
3. Verify that the options under "Source Port Settings", "Set static source UDP port for queries (not recommended)", and "Set static source UDP port for notify messages" use the default value of "not enabled".
4. When complete, click "Cancel" to exit the "Properties" screen.

Member-Level check:
1. Navigate to Data Management >> DNS >> Members tab.
2. Review each server with the DNS service enabled.
3. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab.
4. Verify that the options under "Source Port Settings", "Set static source UDP port for queries (not recommended)", and "Set static source UDP port for notify messages" use the default value of "not enabled".
5. When complete, click "Cancel" to exit the "Properties" screen.

If configuration of either of these values exists, this is a finding.

Check Content Reference

M

Target Key

5251

Comments