STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox DNS server must enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

DISA Rule

SV-233912r621666_rule

Vulnerability Number

V-233912

Group Title

SRG-APP-000215-DNS-000026

Rule Version

IDNS-8X-700007

Severity

CAT II

CCI(s)

• CCI-001663 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

Weight

10

Fix Recommendation

Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration.

Authoritative Fix:
1. Navigate to Data Management >> DNS >> Zones.
2. Select the appropriate zone using the check box. From the "DNSSEC" drop-down menu, select "Sign Zones".
3. Follow prompts to acknowledge zone signing.
4. Perform a service restart if necessary.

Recursive Fix:
1. Navigate to Data Management >> DNS >> Zones.
2. Edit "Grid DNS Properties", toggle Advanced Mode, and select the "DNSSEC" tab.
3. Enable both "Enable DNSSEC" and "Enable DNSSEC Validation" options.
4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
5. Perform a service restart if necessary.

Check Contents

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

The Authoritative Check applies to external-facing authoritative zones:

1. Navigate to Data Management >> DNS >> Zones.
Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the "Zones" tab.
2. Verify that external authoritative zones are DNSSEC signed.

Recursive Check:
1. Navigate to Data Management >> DNS. Edit "Grid DNS Properties", toggle Advanced Mode, and select the DNSSEC tab.
2. Validate that both "Enable DNSSEC" and "Enable DNSSEC Validation" options are enabled.
3. When complete, click "Cancel" to exit the "Properties" screen.

If DNSSEC is not used for authoritative DNS and enabled for recursive clients, this is a finding.

Vulnerability Number

V-233912

Documentable

False

Rule Version

IDNS-8X-700007

Severity Override Guidance

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

The Authoritative Check applies to external-facing authoritative zones:

1. Navigate to Data Management >> DNS >> Zones.
Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the "Zones" tab.
2. Verify that external authoritative zones are DNSSEC signed.

Recursive Check:
1. Navigate to Data Management >> DNS. Edit "Grid DNS Properties", toggle Advanced Mode, and select the DNSSEC tab.
2. Validate that both "Enable DNSSEC" and "Enable DNSSEC Validation" options are enabled.
3. When complete, click "Cancel" to exit the "Properties" screen.

If DNSSEC is not used for authoritative DNS and enabled for recursive clients, this is a finding.

Check Content Reference

M

Target Key

5251

Comments