| V-214201 | | The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptogr... |
| V-214207 | | Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible. | The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) [FI... |
| V-214224 | | Infoblox systems must be configured with current DoD password restrictions. | The Infoblox systems must be configured to meet current DoD password policy when using the Infoblox Local User Database as the authentication source.... |
| V-214160 | | Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. | Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control substatement designating the l... |
| V-214161 | | The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients. | Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation.
Name servers do not have direct use... |
| V-214162 | | The Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited. | Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate... |
| V-214163 | | Infoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-214164 | | Infoblox systems which are configured to perform zone transfers to non-Grid name servers must utilize transaction signatures (TSIG). | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-ser... |
| V-214165 | | Only the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates. | Infoblox systems when deployed in a Grid configuration store DNSSEC keys on the designated Grid Master system. As the central point of administration,... |
| V-214166 | | Signature generation using the KSK must be done off-line, using the KSK-private stored off-line. | Infoblox systems when deployed in a Grid configuration store DNSSEC keys on the designated Grid Master system. As the central point of administration,... |
| V-214167 | | The Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. | If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing s... |
| V-214168 | | The Infoblox system must be configured to provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries. | The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data... |
| V-214169 | | A DNS server implementation must provide the means to indicate the security status of child zones. | If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the pres... |
| V-214170 | | The Key Signing Key (KSK) rollover interval must be configured to no less than one year. | The DNS root key is a cryptographic public-private key pair used for DNSSEC signing of the DNS root zone records. The root zone KSK serves as the anch... |
| V-214171 | | The Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies. | A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is ... |
| V-214172 | | A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services). | If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the pres... |
| V-214174 | | Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers. | DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks.
If communication sessi... |
| V-214175 | | Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates. | DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication session... |
| V-214176 | | Infoblox DNS servers must be configured to protect the authenticity of communications sessions for queries. | The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data... |
| V-214177 | | In the event of a system failure, The Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. | Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure s... |
| V-214178 | | The Infoblox system must be configured to restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems. | A DoS is a condition where a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission o... |
| V-214179 | | The Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. | A DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or... |
| V-214180 | | The Infoblox system must be configured to activate a notification to the system administrator when a component failure is detected. | Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fa... |
| V-214181 | | An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC. | Weakly bound credentials can be modified without invalidating the credential; therefore, non-repudiation can be violated.
This requirement supports a... |
| V-214182 | | The Infoblox system must be configured to provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information. | Without a means for identifying the individual that produced the information, the information cannot be relied upon. Identifying the validity of infor... |
| V-214183 | | The Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer). | Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be... |
| V-214185 | | Recursion must be disabled on Infoblox DNS servers which are configured as authoritative name servers. | A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-... |
| V-214186 | | The Infoblox system must authenticate the other DNS server before responding to a server-to-server transaction. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a... |
| V-214187 | | The DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-214188 | | A DNS server implementation must provide data origin artifacts for internal name/address resolution queries. | The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC i... |
| V-214189 | | A DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries. | The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC i... |
| V-214190 | | A DNS server implementation must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries. | The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC i... |
| V-214191 | | A DNS server implementation must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-214192 | | A DNS server implementation must request data integrity verification on the name/address resolution responses the system receives from authoritative sources. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-214193 | | A DNS server implementation must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-214194 | | A DNS server implementation must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-214195 | | The Infoblox system must be configured to must protect the integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepte... |
| V-214196 | | The Infoblox system must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). | Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to pr... |
| V-214197 | | The DNS server implementation must maintain the integrity of information during preparation for transmission. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during agg... |
| V-214198 | | The DNS server implementation must maintain the integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protoc... |
| V-214199 | | The DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality. | Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, l... |
| V-214200 | | The DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered. | Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy... |
| V-214202 | | The Zone Signing Key (ZSK) rollover interval must be configured to less than two months. | An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can ... |
| V-214203 | | NSEC3 must be used for all internal DNS zones. | To ensure that RRs associated with a query are really missing in a zone file and have not been removed in transit, the DNSSEC mechanism provides a mea... |
| V-214204 | | The Infoblox system must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record. | Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing author... |
| V-214205 | | All authoritative name servers for a zone must be located on different network segments. | Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative nam... |
| V-214206 | | An authoritative name server must be configured to enable DNSSEC Resource Records. | The specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF's DNSSEC standard. In DNSSEC, trust in the pub... |
| V-214208 | | For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts. | Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients.
External clients need to... |
| V-214209 | | In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers. | Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authorit... |
| V-214210 | | In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers. | Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authorit... |
| V-214211 | | The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights. | Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should... |
| V-214212 | | The DNS implementation must implement internal/external role separation. | DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers wit... |
| V-214213 | | The Infoblox system must utilize valid root name servers in the local root zone file. | All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrast... |
| V-214214 | | The Infoblox NIOS version must be at the appropriate version. | Infoblox NIOS is updated on a regular basis to add feature support, implement bug fixes, and address security vulnerabilities. NIOS is a hardened syst... |
| V-214215 | | The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database. | A hidden master authoritative server is an authoritative DNS server whose IP address does not appear in the name server set for a zone. All of the nam... |
| V-214216 | | The platform on which the name server software is hosted must be configured to respond to DNS traffic only. | OS configuration practices as issued by the US Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NI... |
| V-214217 | | The platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port. | OS configuration practices as issued by the US Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NI... |
| V-214218 | | The private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates. | The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored off-line (wit... |
| V-214219 | | CNAME records must not point to a zone with lesser security for more than six months. | The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an ... |
| V-214220 | | The Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-rel... |
| V-214223 | | Infoblox Grid configuration must be backed up on a regular basis. | The Infoblox Grid Master is the central point of management within an Infoblox Grid. The Grid Master retains a full copy of the configuration used for... |
| V-214225 | | The DHCP service must not be enabled on an external authoritative name server. | The site DNS and DHCP architecture must be reviewed to ensure only the appropriate services are enabled on each Grid Member. An external authoritative... |
| V-214226 | | A secure Out Of Band (OOB) network must be utilized for management of Infoblox Grid Members. | The Infoblox Grid Master is the central point of management within an Infoblox Grid. The Grid Master retains a full copy of the configuration used for... |
| V-219058 | | All authoritative name servers for a zone must be geographically disbursed. | In addition to network-based dispersion, authoritative name servers should be dispersed geographically as well. In other words, in addition to being l... |
| V-214159 | | Infoblox systems which perform zone transfers to non-Infoblox Grid DNS servers must be configured to limit the number of concurrent sessions for zone transfers. | Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation.
Infoblox DNS servers configured in ... |
| V-214221 | | The Infoblox system must be configured to display the appropriate security classification information. | Configuration of the informational banner displays the security classification of the Infoblox system using both color and text. Text may be added for... |
| V-214222 | | The Infoblox system must be configured with the approved DoD notice and consent banner. | Configuration of the DoD notice and consent banner requires all administrators to acknowledge the current DoD notice and consent by clicking an "Accep... |
