STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox system must prohibit or restrict unapproved services, ports, and protocols.

DISA Rule

SV-233897r621666_rule

Vulnerability Number

V-233897

Group Title

SRG-APP-000142-DNS-000014

Rule Version

IDNS-8X-400039

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration.
2. Select the "Services" tab.
3. Select each available service at the top of the panel and review the service status.
4. Click on the member and disable unnecessary services.

Check Contents

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

By default, all services other than those required for management are disabled. Validate that no additional services have been enabled for DNS members.

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration.
2. Select the "Services" tab and review each service and member status at the top of the panel.

Depending on purchased options, Infoblox DNS members may be running DNS and optionally running services supporting DNS and security operations such as DNS Traffic Control, Threat Protection, Threat Analytics, and TAXII services.

Use of these additional Infoblox services is not a finding.

If any unnecessary services such as file distribution services are enabled on the DNS members, this is a finding.

Note: Once DNSSEC is enabled, the DNS service will be required to be running on the Grid Master, and it will be placed into stealth mode.

Vulnerability Number

V-233897

Documentable

False

Rule Version

IDNS-8X-400039

Severity Override Guidance

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

By default, all services other than those required for management are disabled. Validate that no additional services have been enabled for DNS members.

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration.
2. Select the "Services" tab and review each service and member status at the top of the panel.

Depending on purchased options, Infoblox DNS members may be running DNS and optionally running services supporting DNS and security operations such as DNS Traffic Control, Threat Protection, Threat Analytics, and TAXII services.

Use of these additional Infoblox services is not a finding.

If any unnecessary services such as file distribution services are enabled on the DNS members, this is a finding.

Note: Once DNSSEC is enabled, the DNS service will be required to be running on the Grid Master, and it will be placed into stealth mode.

Check Content Reference

M

Target Key

5251

Comments