STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox DNS server must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.

DISA Rule

SV-233901r621666_rule

Vulnerability Number

V-233901

Group Title

SRG-APP-000395-DNS-000050

Rule Version

IDNS-8X-500004

Severity

CAT II

CCI(s)

• CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Weight

10

Fix Recommendation

It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration and time synchronization before starting this procedure.

1. Navigate to the Data Management >> DNS >> Zones tab.
2. Select a zone and click "Edit". Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section.
3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key.
4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
5. Perform a service restart if necessary. Verify zone transfers are operational after configuration of TSIG.

Check Contents

1. Navigate to Data Management >> DNS >> Zones tab.
2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab.
3. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable.
4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE).
5. When complete, click "Cancel" to exit the "Properties" screen.

If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.

Vulnerability Number

V-233901

Documentable

False

Rule Version

IDNS-8X-500004

Severity Override Guidance

1. Navigate to Data Management >> DNS >> Zones tab.
2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab.
3. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable.
4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE).
5. When complete, click "Cancel" to exit the "Properties" screen.

If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.

Check Content Reference

M

Target Key

5251

Comments