STIGQter: STIG Summary: Infoblox 7.x DNS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.

DISA Rule

SV-214209r612370_rule

Vulnerability Number

V-214209

Group Title

SRG-APP-000516-DNS-000092

Rule Version

IDNS-7X-000800

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Navigate to Data Management >> DNS >> Members/Servers tab.

Select each grid member and click "Edit".
Enable and configure either an Access Control List (ACL) or Set of Access Control Entries (ACE).
When complete, click "Save & Close" to save the changes and exit the "Properties" screen.

Perform a service restart if necessary.

Check Contents

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to validate external name servers are not accessible from the internal network when a split DNS configuration is implemented.

Navigate to Data Management >> DNS >> Members/Servers tab.

Review both the network configuration, and access control of each Infoblox member which has the DNS service running.

Select each grid member and click "Edit".

Review the "Queries" tab to ensure both queries and recursion options are enabled and allowed only from the respective client networks.

If a split DNS configuration is not utilized, this is not a finding.

If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

Vulnerability Number

V-214209

Documentable

False

Rule Version

IDNS-7X-000800

Severity Override Guidance

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to validate external name servers are not accessible from the internal network when a split DNS configuration is implemented.

Navigate to Data Management >> DNS >> Members/Servers tab.

Review both the network configuration, and access control of each Infoblox member which has the DNS service running.

Select each grid member and click "Edit".

Review the "Queries" tab to ensure both queries and recursion options are enabled and allowed only from the respective client networks.

If a split DNS configuration is not utilized, this is not a finding.

If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

Check Content Reference

M

Target Key

3995

Comments