STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.

DISA Rule

SV-233911r621666_rule

Vulnerability Number

V-233911

Group Title

SRG-APP-000215-DNS-000003

Rule Version

IDNS-8X-700006

Severity

CAT II

CCI(s)

• CCI-001663 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

Weight

10

Fix Recommendation

Zone transfers can be restricted at the Grid, Member, and Zone level. Configuration is inherited and can be overridden if necessary to construct the appropriate access control. Refer to the Infoblox Administrator Guide if necessary.

1. Grid-level configuration: Navigate to Data Management >> DNS >> Zones tab.
2. Click "Grid DNS Properties" and toggle Advanced Mode.
3. Member-level configuration: Navigate to Data Management >> DNS >> Members tab.
4. Click "Edit" to review each member with the DNS service status of "Running".
5. Zone-level configuration: Navigate to Data Management >> DNS >> Zones tab.
6. Select the "Zone Transfers" tab.
7. Click "Override" to set permissions for "Allow zone transfers to".
8. Configure IPv4 and IPv6 networks, addresses, and TSIG keys to restrict zone transfers.

Check Contents

Review the configuration of Infoblox DNS systems and verify that communication flow is validated.

1. Review the Infoblox DNS configuration to verify that only approved communications are allowed.
2. Use of Access Control Lists to control clients, DNS zone transfer configuration to systems external to the Infoblox Grid, and Grid member configuration can be used to control communications as desired.

Infoblox systems within the same Grid use internal database updates and do not perform zone transfers.

If all systems are within the same Infoblox Grid, this is not a finding.

If the Infoblox system is configured to perform zone transfers to non-Grid systems, access control must be used. Otherwise, this is a finding.

Vulnerability Number

V-233911

Documentable

False

Rule Version

IDNS-8X-700006

Severity Override Guidance

Review the configuration of Infoblox DNS systems and verify that communication flow is validated.

1. Review the Infoblox DNS configuration to verify that only approved communications are allowed.
2. Use of Access Control Lists to control clients, DNS zone transfer configuration to systems external to the Infoblox Grid, and Grid member configuration can be used to control communications as desired.

Infoblox systems within the same Grid use internal database updates and do not perform zone transfers.

If all systems are within the same Infoblox Grid, this is not a finding.

If the Infoblox system is configured to perform zone transfers to non-Grid systems, access control must be used. Otherwise, this is a finding.

Check Content Reference

M

Target Key

5251

Comments