STIGQter: STIG Summary: Infoblox 8.x DNS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Jan 2021:

The Infoblox system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks.

DISA Rule

SV-233922r621666_rule

Vulnerability Number

V-233922

Group Title

SRG-APP-000247-DNS-000036

Rule Version

IDNS-8X-700017

Severity

CAT II

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Prior to implementation, review the Infoblox CLI Guide and verify all configuration options.

1. Log on to the Infoblox system using the CLI.
2. Use "set ip_rate_limit [OPTIONS}" to reduce risk of cache poisoning attacks by rate limiting udp/53 traffic.
3. Use "set dns_rrl [OPTIONS]" to enable DNS response rate limiting.
4. Upon completion, log out of the CLI.

This helps reduce the risk of DoS attacks by reducing the rate at which authoritative name servers respond to queries, such as a flood.

Check Contents

Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Use of rate limiting can reduce risk from cache poisoning attacks and DoS attacks.

1. Log on to the Infoblox system CLI and issue the following commands:
"show ip_rate_limit" and "show dns_rrl"
2. Review the output from these commands with the network architecture.
3. If the system uses the Advanced DNS Protection (ADP) (Threat Protection) feature, IP rate limiting is implemented using the DNS security rule-set available in the web GUI.

If the ADP feature set is implemented, use of the ip_rate_limit and dns_rrl CLI commands is not required, and this check is Not Applicable. Refer to the Infoblox Admin Guide for additional details if needed.

If rate limiting is not configured on the Infoblox system or within the network security architecture protecting the Infoblox system, this is a finding.

Vulnerability Number

V-233922

Documentable

False

Rule Version

IDNS-8X-700017

Severity Override Guidance

Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Use of rate limiting can reduce risk from cache poisoning attacks and DoS attacks.

1. Log on to the Infoblox system CLI and issue the following commands:
"show ip_rate_limit" and "show dns_rrl"
2. Review the output from these commands with the network architecture.
3. If the system uses the Advanced DNS Protection (ADP) (Threat Protection) feature, IP rate limiting is implemented using the DNS security rule-set available in the web GUI.

If the ADP feature set is implemented, use of the ip_rate_limit and dns_rrl CLI commands is not required, and this check is Not Applicable. Refer to the Infoblox Admin Guide for additional details if needed.

If rate limiting is not configured on the Infoblox system or within the network security architecture protecting the Infoblox system, this is a finding.

Check Content Reference

M

Target Key

5251

Comments