Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-68547 | IDNS-7X-000280 | SV-83037r1_rule | Medium |
Description |
---|
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed. |
STIG | Date |
---|---|
Infoblox 7.x DNS Security Technical Implementation Guide | 2017-01-04 |
Check Text ( C-69081r1_chk ) |
---|
Infoblox Systems can be configured in two ways to limit DDNS client updates. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab. Review each server with the DNS service enabled. Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG. Verify that "Enable GSS-TSIG authentication of clients" is enabled. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab. Review each server with the DNS service enabled. Select each server, click "Edit". Select the "Zone Transfers" tab. Verify that either a Named ACL or Set of ACEs are defined to limit client DDNS. When complete, click "Cancel" to exit the "Properties" screen. If clients that support GSS-TSIG do not have "Enable GSS-TSIG authentication of clients" set or a named ACL or set of ACEs for clients that do not support GSS-TSIG, this is a finding. |
Fix Text (F-74665r1_fix) |
---|
Infoblox Systems can be configured in two ways to limit DDNS client updates. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab. Review each server with the DNS service enabled. Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG. Configure the option "Enable GSS-TSIG authentication of clients". Upload the required keys. Refer to the Administration Guide for detailed instructions. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab. Review each server with the DNS service enabled. Select each server, click "Edit". Select the "Zone Transfers" tab. Select either an existing Named ACL or configure a new Set of ACEs to limit client DDNS. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. Perform a service restart if necessary. |