UCF STIG Viewer Logo

Infoblox 8.x DNS Security Technical Implementation Guide


Overview

Date Finding Count (74)
2021-01-11 CAT I (High): 7 CAT II (Med): 67 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-233867 High The digital signature algorithm used for DNSSEC-enabled zones must be FIPS compatible.
V-233903 High The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Key Signing Key (KSK) residing on it.
V-233906 High The Infoblox DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
V-233904 High The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Zone Signing Key (ZSK) residing on it.
V-233883 High Infoblox systems must enforce current DoD password restrictions.
V-233882 High A secure out-of-band (OOB) network must be used for management of Infoblox Grid Members.
V-233879 High The private keys corresponding to both the Zone Signing Key (ZSK) and the Key Signing Key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
V-233919 Medium Infoblox DNS servers must protect the authenticity of communications sessions for queries.
V-233918 Medium Infoblox DNS servers must protect the authenticity of communications sessions for dynamic updates.
V-233915 Medium The Infoblox DNS server must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.
V-233914 Medium The Infoblox DNS server must request data integrity verification on the name/address resolution responses the system receives from authoritative sources.
V-233917 Medium Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers when communicating with external DNS servers.
V-233916 Medium The Infoblox DNS server must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.
V-233911 Medium The Infoblox DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.
V-233910 Medium The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) RR for a zone's delegated children must be no less than two days and no more than one week.
V-233913 Medium The Infoblox DNS server must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.
V-233912 Medium The Infoblox DNS server must enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
V-233898 Medium The Infoblox system must require devices to reauthenticate for each zone transfer and dynamic update request connection attempt.
V-233899 Medium When using non-Grid DNS servers for zone transfers, each name server must use TSIG to uniquely identify the other server.
V-233890 Medium The Infoblox system must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
V-233891 Medium The Infoblox system must validate the binding of the other DNS servers' identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
V-233892 Medium The Infoblox system must send a notification in the event of an error when validating the binding of another DNS server’s identity to the DNS information.
V-233893 Medium The Infoblox DNS server must provide data origin artifacts for internal name/address resolution queries.
V-233894 Medium The Infoblox DNS server must provide data integrity protection artifacts for internal name/address resolution queries.
V-233895 Medium The Infoblox system must notify the system administrator when a component failure is detected.
V-233896 Medium The Infoblox DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
V-233897 Medium The Infoblox system must prohibit or restrict unapproved services, ports, and protocols.
V-233887 Medium The Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-233865 Medium All authoritative name servers for a zone must have the same version of zone information.
V-233864 Medium All authoritative name servers for a zone must be located on different network segments.
V-233866 Medium An authoritative name server must be configured to enable DNSSEC resource records.
V-233861 Medium The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
V-233860 Medium Recursion must be disabled on Infoblox DNS servers that are configured as authoritative name servers.
V-233863 Medium The Infoblox DNS server must be configured so that each name server (NS) record in a zone file points to an active name server authoritative for the domain specified in that record.
V-233862 Medium NSEC3 must be used for all DNSSEC signed zones.
V-233876 Medium The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
V-233871 Medium Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
V-233869 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
V-233868 Medium For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.
V-233859 Medium All authoritative name servers for a zone must be geographically disbursed.
V-233908 Medium The Infoblox DNS Server must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
V-233909 Medium The Infoblox DNS server implementation must provide the means to indicate the security status of child zones.
V-233902 Medium Infoblox systems that communicate with non-Grid name servers must use a unique Transaction Signature (TSIG).
V-233900 Medium The Infoblox DNS server must authenticate to any external (non-Grid) DNS servers before responding to a server-to-server transaction.
V-233901 Medium The Infoblox DNS server must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.
V-233907 Medium The Infoblox system must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.
V-233905 Medium The Infoblox system must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
V-233924 Medium The Infoblox DNS server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-233925 Medium The Infoblox DNS server implementation must maintain the integrity of information during preparation for transmission.
V-233889 Medium An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC.
V-233888 Medium The Infoblox system must present only approved TLS and SSL cipher suites.
V-233920 Medium In the event of a system failure, the Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-233921 Medium The Infoblox system must restrict the ability of individuals to use the DNS server to launch denial-of-Service (DoS) attacks against other information systems.
V-233922 Medium The Infoblox system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks.
V-233923 Medium The Infoblox DNS server must protect the integrity of transmitted information.
V-233881 Medium The Infoblox system must use the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-233880 Medium CNAME records must not point to a zone with lesser security for more than six months.
V-233928 Medium The Infoblox DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
V-233886 Medium The Infoblox system must display the appropriate security classification information.
V-233885 Medium The Infoblox system must display the approved DoD notice and consent banner.
V-233884 Medium Infoblox Grid configuration must be backed up on a regular basis.
V-233857 Medium The Infoblox DNS server must not reveal sensitive information to an attacker. This includes HINFO, RP, LOC resource, and sensitive TXT record data.
V-233856 Medium The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.
V-233926 Medium The Infoblox DNS server implementation must maintain the integrity of information during reception.
V-233872 Medium The Infoblox system must use a security policy that limits the propagation of access rights.
V-233873 Medium The DNS implementation must implement internal/external role separation.
V-233870 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
V-233927 Medium The Infoblox system must notify the ISSO and ISSM in the event of failed security verification tests.
V-233858 Medium The Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
V-233877 Medium The Infoblox system must be configured to respond to DNS traffic only.
V-233874 Medium The Infoblox DNS server must use current and valid root name servers.
V-233875 Medium The Infoblox NIOS version must be at the appropriate version.
V-233855 Medium Infoblox systems that perform zone transfers to non-Grid DNS servers must limit the number of concurrent sessions for zone transfers.
V-233878 Medium The Infoblox DNS server must send outgoing DNS messages from a random port.