| Checked | Name | Title |
|---|
| ☐ | SV-233855r621666_rule | Infoblox systems that perform zone transfers to non-Grid DNS servers must limit the number of concurrent sessions for zone transfers. |
| ☐ | SV-233856r621666_rule | The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients. |
| ☐ | SV-233857r621666_rule | The Infoblox DNS server must not reveal sensitive information to an attacker. This includes HINFO, RP, LOC resource, and sensitive TXT record data. |
| ☐ | SV-233858r621666_rule | The Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited. |
| ☐ | SV-233859r621666_rule | All authoritative name servers for a zone must be geographically disbursed. |
| ☐ | SV-233860r621666_rule | Recursion must be disabled on Infoblox DNS servers that are configured as authoritative name servers. |
| ☐ | SV-233861r621666_rule | The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week. |
| ☐ | SV-233862r621666_rule | NSEC3 must be used for all DNSSEC signed zones. |
| ☐ | SV-233863r621666_rule | The Infoblox DNS server must be configured so that each name server (NS) record in a zone file points to an active name server authoritative for the domain specified in that record. |
| ☐ | SV-233864r621666_rule | All authoritative name servers for a zone must be located on different network segments. |
| ☐ | SV-233865r621666_rule | All authoritative name servers for a zone must have the same version of zone information. |
| ☐ | SV-233866r621666_rule | An authoritative name server must be configured to enable DNSSEC resource records. |
| ☐ | SV-233867r621666_rule | The digital signature algorithm used for DNSSEC-enabled zones must be FIPS compatible. |
| ☐ | SV-233868r621666_rule | For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts. |
| ☐ | SV-233869r621666_rule | In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. |
| ☐ | SV-233870r621666_rule | In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. |
| ☐ | SV-233871r621666_rule | Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. |
| ☐ | SV-233872r621666_rule | The Infoblox system must use a security policy that limits the propagation of access rights. |
| ☐ | SV-233873r621666_rule | The DNS implementation must implement internal/external role separation. |
| ☐ | SV-233874r621666_rule | The Infoblox DNS server must use current and valid root name servers. |
| ☐ | SV-233875r621666_rule | The Infoblox NIOS version must be at the appropriate version. |
| ☐ | SV-233876r621666_rule | The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database. |
| ☐ | SV-233877r621666_rule | The Infoblox system must be configured to respond to DNS traffic only. |
| ☐ | SV-233878r621666_rule | The Infoblox DNS server must send outgoing DNS messages from a random port. |
| ☐ | SV-233879r621666_rule | The private keys corresponding to both the Zone Signing Key (ZSK) and the Key Signing Key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates. |
| ☐ | SV-233880r621666_rule | CNAME records must not point to a zone with lesser security for more than six months. |
| ☐ | SV-233881r621666_rule | The Infoblox system must use the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
| ☐ | SV-233882r621666_rule | A secure out-of-band (OOB) network must be used for management of Infoblox Grid Members. |
| ☐ | SV-233883r621666_rule | Infoblox systems must enforce current DoD password restrictions. |
| ☐ | SV-233884r621666_rule | Infoblox Grid configuration must be backed up on a regular basis. |
| ☐ | SV-233885r621666_rule | The Infoblox system must display the approved DoD notice and consent banner. |
| ☐ | SV-233886r621666_rule | The Infoblox system must display the appropriate security classification information. |
| ☐ | SV-233887r621666_rule | The Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
| ☐ | SV-233888r621666_rule | The Infoblox system must present only approved TLS and SSL cipher suites. |
| ☐ | SV-233889r621666_rule | An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC. |
| ☐ | SV-233890r621666_rule | The Infoblox system must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information. |
| ☐ | SV-233891r621666_rule | The Infoblox system must validate the binding of the other DNS servers' identity to the DNS information for a server-to-server transaction (e.g., zone transfer). |
| ☐ | SV-233892r621666_rule | The Infoblox system must send a notification in the event of an error when validating the binding of another DNS server’s identity to the DNS information. |
| ☐ | SV-233893r621666_rule | The Infoblox DNS server must provide data origin artifacts for internal name/address resolution queries. |
| ☐ | SV-233894r621666_rule | The Infoblox DNS server must provide data integrity protection artifacts for internal name/address resolution queries. |
| ☐ | SV-233895r621666_rule | The Infoblox system must notify the system administrator when a component failure is detected. |
| ☐ | SV-233896r621666_rule | The Infoblox DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality. |
| ☐ | SV-233897r621666_rule | The Infoblox system must prohibit or restrict unapproved services, ports, and protocols. |
| ☐ | SV-233898r621666_rule | The Infoblox system must require devices to reauthenticate for each zone transfer and dynamic update request connection attempt. |
| ☐ | SV-233899r621666_rule | When using non-Grid DNS servers for zone transfers, each name server must use TSIG to uniquely identify the other server. |
| ☐ | SV-233900r621666_rule | The Infoblox DNS server must authenticate to any external (non-Grid) DNS servers before responding to a server-to-server transaction. |
| ☐ | SV-233901r621666_rule | The Infoblox DNS server must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based. |
| ☐ | SV-233902r621666_rule | Infoblox systems that communicate with non-Grid name servers must use a unique Transaction Signature (TSIG). |
| ☐ | SV-233903r621666_rule | The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Key Signing Key (KSK) residing on it. |
| ☐ | SV-233904r621666_rule | The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Zone Signing Key (ZSK) residing on it. |
| ☐ | SV-233905r621666_rule | The Infoblox system must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. |
| ☐ | SV-233906r621666_rule | The Infoblox DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality. |
| ☐ | SV-233907r621666_rule | The Infoblox system must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries. |
| ☐ | SV-233908r621666_rule | The Infoblox DNS Server must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries. |
| ☐ | SV-233909r621666_rule | The Infoblox DNS server implementation must provide the means to indicate the security status of child zones. |
| ☐ | SV-233910r621666_rule | The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) RR for a zone's delegated children must be no less than two days and no more than one week. |
| ☐ | SV-233911r621666_rule | The Infoblox DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies. |
| ☐ | SV-233912r621666_rule | The Infoblox DNS server must enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services). |
| ☐ | SV-233913r621666_rule | The Infoblox DNS server must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources. |
| ☐ | SV-233914r621666_rule | The Infoblox DNS server must request data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
| ☐ | SV-233915r621666_rule | The Infoblox DNS server must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
| ☐ | SV-233916r621666_rule | The Infoblox DNS server must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources. |
| ☐ | SV-233917r621666_rule | Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers when communicating with external DNS servers. |
| ☐ | SV-233918r621666_rule | Infoblox DNS servers must protect the authenticity of communications sessions for dynamic updates. |
| ☐ | SV-233919r621666_rule | Infoblox DNS servers must protect the authenticity of communications sessions for queries. |
| ☐ | SV-233920r621666_rule | In the event of a system failure, the Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. |
| ☐ | SV-233921r621666_rule | The Infoblox system must restrict the ability of individuals to use the DNS server to launch denial-of-Service (DoS) attacks against other information systems. |
| ☐ | SV-233922r621666_rule | The Infoblox system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks. |
| ☐ | SV-233923r621666_rule | The Infoblox DNS server must protect the integrity of transmitted information. |
| ☐ | SV-233924r621666_rule | The Infoblox DNS server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). |
| ☐ | SV-233925r621666_rule | The Infoblox DNS server implementation must maintain the integrity of information during preparation for transmission. |
| ☐ | SV-233926r621666_rule | The Infoblox DNS server implementation must maintain the integrity of information during reception. |
| ☐ | SV-233927r621666_rule | The Infoblox system must notify the ISSO and ISSM in the event of failed security verification tests. |
| ☐ | SV-233928r621666_rule | The Infoblox DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered. |
STIGQter: STIG Summary: