STIGQter: STIG Summary: Infoblox 7.x DNS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.

DISA Rule

SV-214171r612370_rule

Vulnerability Number

V-214171

Group Title

SRG-APP-000215-DNS-000003

Rule Version

IDNS-7X-000240

Severity

CAT II

CCI(s)

• CCI-001663 - The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

Weight

10

Fix Recommendation

Zone transfers can be restricted at the Grid, Member, and Zone level. Configuration is inherited and can be overridden if necessary to construct the appropriate access control.

Grid level configuration: Navigate to Data Management >> DNS >> Zones tab.
Click "Grid DNS Properties", and toggle Advanced Mode.

Member level configuration: Navigate to Data Management >> DNS >> Members/Servers tab.
Click "Edit" to review each member with the DNS service status of "Running".

Zone level Configuration: Navigate to Data Management >> DNS >> Zones tab.
Select the "Zone Transfers" tab.
Click "Override" to set permissions for "Allow zone transfers to".

Configure IPv4, IPv6 networks, addresses, TSIG keys to restrict zone transfers.

Check Contents

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Review the Infoblox DNS configuration to verify only approved communications are allowed. Usage of Access Control Lists to control clients, DNS zone transfer configuration to systems external to the Infoblox grid, and grid member configuration can be used to control communications as desired.

Infoblox systems within the same Grid utilize internal database transfer and do not perform zone transfers.

If all systems are within the same Infoblox Grid, this is not a finding.

Vulnerability Number

V-214171

Documentable

False

Rule Version

IDNS-7X-000240

Severity Override Guidance

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Review the Infoblox DNS configuration to verify only approved communications are allowed. Usage of Access Control Lists to control clients, DNS zone transfer configuration to systems external to the Infoblox grid, and grid member configuration can be used to control communications as desired.

Infoblox systems within the same Grid utilize internal database transfer and do not perform zone transfers.

If all systems are within the same Infoblox Grid, this is not a finding.

Check Content Reference

M

Target Key

3995

Comments