STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox DNS server must be configured so that each name server (NS) record in a zone file points to an active name server authoritative for the domain specified in that record.

DISA Rule

SV-233863r621666_rule

Vulnerability Number

V-233863

Group Title

SRG-APP-000516-DNS-000085

Rule Version

IDNS-8X-400005

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

1. Navigate to Data Management >> DNS >> Zones.
2. Select and edit the zones containing incorrect NS record configurations.
3. Select the "Name Servers" tab.
4. If the option "Use this Name Server Group" is active, note the group name used. Click "Cancel" and select the "Name Server Groups" tab to edit the name server group.
5. Remove or update any incorrect NS records or name server configuration.
6. If the option "Use this set of name servers" is active, remove or update any incorrect NS records or name server configuration.
7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
8. Perform a service restart if necessary.

Check Contents

Verify that NS resource records in all active zones point to an operational name server.

1. Navigate to Data Management >> DNS >> Zones
2. Select the zone to review.
3. Select the "Name Servers" tab.
4. If the option "Use this Name Server Group" is active, note the group name used. Click "Cancel" and select the "Name Server Groups" tab to review the name server group.
5. Examine each NS record and name server configuration.
6. Verify that the IP address for each NS record points to an operational name server.
7. Click "Cancel" to exit the "Properties" screen.

If a name server resource record points to an IP that is not an operational name server, this is a finding.

Vulnerability Number

V-233863

Documentable

False

Rule Version

IDNS-8X-400005

Severity Override Guidance

Verify that NS resource records in all active zones point to an operational name server.

1. Navigate to Data Management >> DNS >> Zones
2. Select the zone to review.
3. Select the "Name Servers" tab.
4. If the option "Use this Name Server Group" is active, note the group name used. Click "Cancel" and select the "Name Server Groups" tab to review the name server group.
5. Examine each NS record and name server configuration.
6. Verify that the IP address for each NS record points to an operational name server.
7. Click "Cancel" to exit the "Properties" screen.

If a name server resource record points to an IP that is not an operational name server, this is a finding.

Check Content Reference

M

Target Key

5251

Comments