| Checked | Name | Title |
|---|
| ☐ | SV-214159r612370_rule | Infoblox systems which perform zone transfers to non-Infoblox Grid DNS servers must be configured to limit the number of concurrent sessions for zone transfers. |
| ☐ | SV-214160r612370_rule | Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. |
| ☐ | SV-214161r612370_rule | The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients. |
| ☐ | SV-214162r612370_rule | The Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited. |
| ☐ | SV-214163r612370_rule | Infoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols. |
| ☐ | SV-214164r612370_rule | Infoblox systems which are configured to perform zone transfers to non-Grid name servers must utilize transaction signatures (TSIG). |
| ☐ | SV-214165r612370_rule | Only the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates. |
| ☐ | SV-214166r612370_rule | Signature generation using the KSK must be done off-line, using the KSK-private stored off-line. |
| ☐ | SV-214167r612370_rule | The Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. |
| ☐ | SV-214168r612370_rule | The Infoblox system must be configured to provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries. |
| ☐ | SV-214169r612370_rule | A DNS server implementation must provide the means to indicate the security status of child zones. |
| ☐ | SV-214170r612370_rule | The Key Signing Key (KSK) rollover interval must be configured to no less than one year. |
| ☐ | SV-214171r612370_rule | The Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies. |
| ☐ | SV-214172r612370_rule | A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services). |
| ☐ | SV-214174r612370_rule | Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers. |
| ☐ | SV-214175r612370_rule | Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates. |
| ☐ | SV-214176r612370_rule | Infoblox DNS servers must be configured to protect the authenticity of communications sessions for queries. |
| ☐ | SV-214177r612370_rule | In the event of a system failure, The Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. |
| ☐ | SV-214178r612370_rule | The Infoblox system must be configured to restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems. |
| ☐ | SV-214179r612370_rule | The Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. |
| ☐ | SV-214180r612370_rule | The Infoblox system must be configured to activate a notification to the system administrator when a component failure is detected. |
| ☐ | SV-214181r612370_rule | An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC. |
| ☐ | SV-214182r612370_rule | The Infoblox system must be configured to provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information. |
| ☐ | SV-214183r612370_rule | The Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer). |
| ☐ | SV-214185r612370_rule | Recursion must be disabled on Infoblox DNS servers which are configured as authoritative name servers. |
| ☐ | SV-214186r612370_rule | The Infoblox system must authenticate the other DNS server before responding to a server-to-server transaction. |
| ☐ | SV-214187r612370_rule | The DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based. |
| ☐ | SV-214188r612370_rule | A DNS server implementation must provide data origin artifacts for internal name/address resolution queries. |
| ☐ | SV-214189r612370_rule | A DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries. |
| ☐ | SV-214190r612370_rule | A DNS server implementation must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries. |
| ☐ | SV-214191r612370_rule | A DNS server implementation must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources. |
| ☐ | SV-214192r612370_rule | A DNS server implementation must request data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
| ☐ | SV-214193r612370_rule | A DNS server implementation must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
| ☐ | SV-214194r612370_rule | A DNS server implementation must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources. |
| ☐ | SV-214195r612370_rule | The Infoblox system must be configured to must protect the integrity of transmitted information. |
| ☐ | SV-214196r612370_rule | The Infoblox system must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). |
| ☐ | SV-214197r612370_rule | The DNS server implementation must maintain the integrity of information during preparation for transmission. |
| ☐ | SV-214198r612370_rule | The DNS server implementation must maintain the integrity of information during reception. |
| ☐ | SV-214199r612370_rule | The DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality. |
| ☐ | SV-214200r612370_rule | The DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered. |
| ☐ | SV-214201r612370_rule | The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality. |
| ☐ | SV-214202r612370_rule | The Zone Signing Key (ZSK) rollover interval must be configured to less than two months. |
| ☐ | SV-214203r612370_rule | NSEC3 must be used for all internal DNS zones. |
| ☐ | SV-214204r612370_rule | The Infoblox system must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record. |
| ☐ | SV-214205r612370_rule | All authoritative name servers for a zone must be located on different network segments. |
| ☐ | SV-214206r612370_rule | An authoritative name server must be configured to enable DNSSEC Resource Records. |
| ☐ | SV-214207r612370_rule | Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible. |
| ☐ | SV-214208r612370_rule | For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts. |
| ☐ | SV-214209r612370_rule | In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. |
| ☐ | SV-214210r612370_rule | In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. |
| ☐ | SV-214211r612370_rule | The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights. |
| ☐ | SV-214212r612370_rule | The DNS implementation must implement internal/external role separation. |
| ☐ | SV-214213r612370_rule | The Infoblox system must utilize valid root name servers in the local root zone file. |
| ☐ | SV-214214r612370_rule | The Infoblox NIOS version must be at the appropriate version. |
| ☐ | SV-214215r612370_rule | The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database. |
| ☐ | SV-214216r612370_rule | The platform on which the name server software is hosted must be configured to respond to DNS traffic only. |
| ☐ | SV-214217r612370_rule | The platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port. |
| ☐ | SV-214218r612370_rule | The private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates. |
| ☐ | SV-214219r612370_rule | CNAME records must not point to a zone with lesser security for more than six months. |
| ☐ | SV-214220r612370_rule | The Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
| ☐ | SV-214221r612370_rule | The Infoblox system must be configured to display the appropriate security classification information. |
| ☐ | SV-214222r612370_rule | The Infoblox system must be configured with the approved DoD notice and consent banner. |
| ☐ | SV-214223r612370_rule | Infoblox Grid configuration must be backed up on a regular basis. |
| ☐ | SV-214224r612370_rule | Infoblox systems must be configured with current DoD password restrictions. |
| ☐ | SV-214225r612370_rule | The DHCP service must not be enabled on an external authoritative name server. |
| ☐ | SV-214226r612370_rule | A secure Out Of Band (OOB) network must be utilized for management of Infoblox Grid Members. |
| ☐ | SV-219058r612370_rule | All authoritative name servers for a zone must be geographically disbursed. |
STIGQter: STIG Summary: