STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox system must restrict the ability of individuals to use the DNS server to launch denial-of-Service (DoS) attacks against other information systems.

DISA Rule

SV-233921r621666_rule

Vulnerability Number

V-233921

Group Title

SRG-APP-000246-DNS-000035

Rule Version

IDNS-8X-700016

Severity

CAT II

CCI(s)

• CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.

Weight

10

Fix Recommendation

1. Navigate to Data Management >> DNS >> Grid DNS Properties.
2. Select the "Queries" tab.
3. For external authoritative name servers, disable "Allow Recursion" by clearing the check box.
4. For internal name servers, on the "Updates" tab, configure either an ACL or ACE for "Allow updates from".
5. On the "Queries" tab, configure either an ACL or ACE for "Allow queries from".
6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
7. Perform a service restart if necessary.

Check Contents

Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Primary consideration for this check should be given to client restrictions such as disabling open recursive servers, using Access Control Lists (ACLs) to limit client communication, and placement in secure network architecture to prevent address spoofing.

1. Navigate to Data Management >> DNS >> Grid DNS Properties.

2. For external authoritative name servers:
a. Select the "Queries" tab.
b. Verify the "Allow Recursion" check box is not enabled.

3. For internal name servers:
a. On the "Updates" tab, verify that an ACL or Access Control Entry (ACE) for "Allow updates from" is enabled.
b. On the "Queries" tab, verify that either an ACL or ACE for "Allow queries from" is enabled.

4. When complete, click "Cancel" to save the changes and exit the "Properties" screen.

If there is an open recursive DNS service on external name servers, or unrestricted access to internal name servers, this is a finding.

Vulnerability Number

V-233921

Documentable

False

Rule Version

IDNS-8X-700016

Severity Override Guidance

Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Primary consideration for this check should be given to client restrictions such as disabling open recursive servers, using Access Control Lists (ACLs) to limit client communication, and placement in secure network architecture to prevent address spoofing.

1. Navigate to Data Management >> DNS >> Grid DNS Properties.

2. For external authoritative name servers:
a. Select the "Queries" tab.
b. Verify the "Allow Recursion" check box is not enabled.

3. For internal name servers:
a. On the "Updates" tab, verify that an ACL or Access Control Entry (ACE) for "Allow updates from" is enabled.
b. On the "Queries" tab, verify that either an ACL or ACE for "Allow queries from" is enabled.

4. When complete, click "Cancel" to save the changes and exit the "Properties" screen.

If there is an open recursive DNS service on external name servers, or unrestricted access to internal name servers, this is a finding.

Check Content Reference

M

Target Key

5251

Comments