UCF STIG Viewer Logo

Infoblox 7.x DNS Security Technical Implementation Guide


Overview

Date Finding Count (68)
2017-04-05 CAT I (High): 3 CAT II (Med): 62 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-68597 High The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
V-68609 High Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
V-68623 High Infoblox systems must be configured with current DoD password restrictions.
V-68517 Medium Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
V-68699 Medium Infoblox systems which are configured to perform zone transfers to non-Grid name servers must utilize transaction signatures (TSIG).
V-68575 Medium A DNS server implementation must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
V-68571 Medium A DNS server implementation must provide data origin artifacts for internal name/address resolution queries.
V-68553 Medium The Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-68551 Medium The Infoblox system must be configured to restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.
V-68557 Medium An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC.
V-68519 Medium The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.
V-68615 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
V-68617 Medium The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
V-68559 Medium The Infoblox system must be configured to provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
V-68611 Medium For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
V-68539 Medium A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
V-68613 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
V-68535 Medium The validity period for the RRSIGs covering the DS RR for zones delegated children must be no less than two days and no more than one week.
V-68537 Medium The Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.
V-68619 Medium A secure Out Of Band (OOB) network must be utilized for management of Infoblox Grid Members.
V-68531 Medium The Infoblox system must be configured to provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.
V-68533 Medium A DNS server implementation must provide the means to indicate the security status of child zones.
V-68625 Medium Infoblox Grid configuration must be backed up on a regular basis.
V-68639 Medium The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
V-68599 Medium The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days and no more than one week.
V-68633 Medium CNAME records must not point to a zone with lesser security for more than six months.
V-68631 Medium The Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-68577 Medium A DNS server implementation must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.
V-68637 Medium The platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
V-68593 Medium The DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
V-68635 Medium The private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
V-68591 Medium The DNS server implementation must maintain the integrity of information during reception.
V-68579 Medium A DNS server implementation must request data integrity verification on the name/address resolution responses the system receives from authoritative sources.
V-68547 Medium Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.
V-68563 Medium The Infoblox system must be configured to allow DNS administrators to change the auditing to be performed on all DNS server components, based on all selectable event criteria.
V-68595 Medium The DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
V-68561 Medium The Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
V-68573 Medium A DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries.
V-68565 Medium Recursion must be disabled on Infoblox DNS servers which are configured as authoritative name servers.
V-68545 Medium Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers.
V-68569 Medium The DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.
V-68543 Medium All authoritative name servers for a zone must be geographically disbursed.
V-68567 Medium The Infoblox system must authenticate the other DNS server before responding to a server-to-server transaction.
V-68603 Medium The Infoblox system must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
V-68601 Medium NSEC3 must be used for all internal DNS zones.
V-68607 Medium An authoritative name server must be configured to enable DNSSEC Resource Records.
V-68529 Medium The Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
V-68605 Medium All authoritative name servers for a zone must be located on different network segments.
V-68527 Medium Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.
V-68525 Medium Only the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.
V-68523 Medium Infoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols.
V-68521 Medium The Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
V-68581 Medium A DNS server implementation must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.
V-68583 Medium A DNS server implementation must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.
V-68585 Medium The Infoblox system must be configured to must protect the integrity of transmitted information.
V-68587 Medium The Infoblox system must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-68589 Medium The DNS server implementation must maintain the integrity of information during preparation for transmission.
V-68647 Medium The DNS implementation must implement internal/external role separation.
V-68701 Medium Infoblox DNS servers must be configured to protect the authenticity of communications sessions for queries.
V-68645 Medium The Infoblox system must utilize valid root name servers in the local root zone file.
V-68643 Medium The Infoblox NIOS version must be at the appropriate version.
V-68549 Medium In the event of a system failure, The Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-68555 Medium The Infoblox system must be configured to activate a notification to the system administrator when a component failure is detected.
V-68621 Medium The DHCP service must not be enabled on an external authoritative name server.
V-68641 Medium The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
V-68515 Low Infoblox systems which perform zone transfers to non-Infoblox Grid DNS servers must be configured to limit the number of concurrent sessions for zone transfers.
V-68629 Low The Infoblox system must be configured to display the appropriate security classification information.
V-68627 Low The Infoblox system must be configured with the approved DoD notice and consent banner.