STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.

DISA Rule

SV-233896r621666_rule

Vulnerability Number

V-233896

Group Title

SRG-APP-000451-DNS-000069

Rule Version

IDNS-8X-400038

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002775 - The information system implements organization-defined fail-safe procedures when organization-defined failure conditions occur.

Weight

10

Fix Recommendation

1. Refer to the Infoblox NIOS Administrator Guide, Chapters "Deploying a Grid", and "Configuring DNS Zones", section "Assigning Zone Authority to Name Servers", if necessary.
2. Configure a Grid Master Candidate or define a local policy to re-role a secondary name server.

Check Contents

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to validate external name servers are not accessible from the internal network when a split DNS configuration is implemented.

1. Navigate to Data Management >> DNS >> Members tab.
2. Review the network configuration and access control of each Infoblox member that has the DNS service running.
3. Select each grid member and click "Edit".
4. Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks.

If a split DNS configuration is not used, this is not a finding.

If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

Vulnerability Number

V-233896

Documentable

False

Rule Version

IDNS-8X-400038

Severity Override Guidance

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to validate external name servers are not accessible from the internal network when a split DNS configuration is implemented.

1. Navigate to Data Management >> DNS >> Members tab.
2. Review the network configuration and access control of each Infoblox member that has the DNS service running.
3. Select each grid member and click "Edit".
4. Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks.

If a split DNS configuration is not used, this is not a finding.

If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

Check Content Reference

M

Target Key

5251

Comments