STIGQter STIGQter: STIG Summary: Infoblox 7.x DNS Security Technical Implementation Guide

Version: 1

Release: 8 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-83005r1_ruleInfoblox systems which perform zone transfers to non-Infoblox Grid DNS servers must be configured to limit the number of concurrent sessions for zone transfers.
SV-83007r1_rulePrimary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
SV-83009r2_ruleThe Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.
SV-83011r1_ruleThe Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
SV-83013r3_ruleInfoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols.
SV-83015r2_ruleOnly the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.
SV-83017r2_ruleSignature generation using the KSK must be done off-line, using the KSK-private stored off-line.
SV-83019r1_ruleThe Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
SV-83021r2_ruleThe Infoblox system must be configured to provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.
SV-83023r3_ruleA DNS server implementation must provide the means to indicate the security status of child zones.
SV-83025r3_ruleThe Key Signing Key (KSK) rollover interval must be configured to no less than one year.
SV-83027r2_ruleThe Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.
SV-83029r3_ruleA DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
SV-83033r1_ruleAll authoritative name servers for a zone must be geographically disbursed.
SV-83035r1_ruleInfoblox DNS servers must protect the authenticity of communications sessions for zone transfers.
SV-83037r3_ruleInfoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.
SV-83039r1_ruleIn the event of a system failure, The Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
SV-83041r1_ruleThe Infoblox system must be configured to restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.
SV-83043r1_ruleThe Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
SV-83045r1_ruleThe Infoblox system must be configured to activate a notification to the system administrator when a component failure is detected.
SV-83047r3_ruleAn Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC.
SV-83049r3_ruleThe Infoblox system must be configured to provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
SV-83051r2_ruleThe Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
SV-83053r1_ruleThe Infoblox system must be configured to allow DNS administrators to change the auditing to be performed on all DNS server components, based on all selectable event criteria.
SV-83055r1_ruleRecursion must be disabled on Infoblox DNS servers which are configured as authoritative name servers.
SV-83057r1_ruleThe Infoblox system must authenticate the other DNS server before responding to a server-to-server transaction.
SV-83059r1_ruleThe DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.
SV-83061r3_ruleA DNS server implementation must provide data origin artifacts for internal name/address resolution queries.
SV-83063r3_ruleA DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries.
SV-83065r3_ruleA DNS server implementation must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
SV-83067r3_ruleA DNS server implementation must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.
SV-83069r3_ruleA DNS server implementation must request data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SV-83071r3_ruleA DNS server implementation must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SV-83073r3_ruleA DNS server implementation must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.
SV-83075r2_ruleThe Infoblox system must be configured to must protect the integrity of transmitted information.
SV-83077r2_ruleThe Infoblox system must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
SV-83079r1_ruleThe DNS server implementation must maintain the integrity of information during preparation for transmission.
SV-83081r1_ruleThe DNS server implementation must maintain the integrity of information during reception.
SV-83083r1_ruleThe DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
SV-83085r1_ruleThe DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
SV-83087r2_ruleThe DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
SV-83089r3_ruleThe Zone Signing Key (ZSK) rollover interval must be configured to no less than two months.
SV-83091r2_ruleNSEC3 must be used for all internal DNS zones.
SV-83093r1_ruleThe Infoblox system must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
SV-83095r1_ruleAll authoritative name servers for a zone must be located on different network segments.
SV-83097r2_ruleAn authoritative name server must be configured to enable DNSSEC Resource Records.
SV-83099r2_ruleDigital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
SV-83101r1_ruleFor zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
SV-83103r2_ruleIn a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
SV-83105r2_ruleIn a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
SV-83107r1_ruleThe DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
SV-83109r2_ruleA secure Out Of Band (OOB) network must be utilized for management of Infoblox Grid Members.
SV-83111r1_ruleThe DHCP service must not be enabled on an external authoritative name server.
SV-83113r1_ruleInfoblox systems must be configured with current DoD password restrictions.
SV-83115r1_ruleInfoblox Grid configuration must be backed up on a regular basis.
SV-83117r1_ruleThe Infoblox system must be configured with the approved DoD notice and consent banner.
SV-83119r1_ruleThe Infoblox system must be configured to display the appropriate security classification information.
SV-83121r1_ruleThe Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SV-83123r2_ruleCNAME records must not point to a zone with lesser security for more than six months.
SV-83125r2_ruleThe private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
SV-83127r1_ruleThe platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
SV-83129r1_ruleThe platform on which the name server software is hosted must be configured to respond to DNS traffic only.
SV-83131r1_ruleThe IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
SV-83133r1_ruleThe Infoblox NIOS version must be at the appropriate version.
SV-83135r1_ruleThe Infoblox system must utilize valid root name servers in the local root zone file.
SV-83137r1_ruleThe DNS implementation must implement internal/external role separation.
SV-83189r1_ruleInfoblox systems which are configured to perform zone transfers to non-Grid name servers must utilize transaction signatures (TSIG).
SV-83191r3_ruleInfoblox DNS servers must be configured to protect the authenticity of communications sessions for queries.