Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-68547	IDNS-7X-000280	SV-83037r1_rule		Medium

Description
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.

STIG	Date
Infoblox 7.x DNS Security Technical Implementation Guide	2017-04-05

Details

Check Text ( C-69081r1_chk )
Infoblox Systems can be configured in two ways to limit DDNS client updates. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab. Review each server with the DNS service enabled. Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG. Verify that "Enable GSS-TSIG authentication of clients" is enabled. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab. Review each server with the DNS service enabled. Select each server, click "Edit". Select the "Zone Transfers" tab. Verify that either a Named ACL or Set of ACEs are defined to limit client DDNS. When complete, click "Cancel" to exit the "Properties" screen. If clients that support GSS-TSIG do not have "Enable GSS-TSIG authentication of clients" set or a named ACL or set of ACEs for clients that do not support GSS-TSIG, this is a finding.

Check Text ( C-69081r1_chk )

Infoblox Systems can be configured in two ways to limit DDNS client updates.

For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled.
Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG.
Verify that "Enable GSS-TSIG authentication of clients" is enabled.

For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled. Select each server, click "Edit".
Select the "Zone Transfers" tab.
Verify that either a Named ACL or Set of ACEs are defined to limit client DDNS.
When complete, click "Cancel" to exit the "Properties" screen.

If clients that support GSS-TSIG do not have "Enable GSS-TSIG authentication of clients" set or a named ACL or set of ACEs for clients that do not support GSS-TSIG, this is a finding.

Fix Text (F-74665r1_fix)
Infoblox Systems can be configured in two ways to limit DDNS client updates. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab. Review each server with the DNS service enabled. Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG. Configure the option "Enable GSS-TSIG authentication of clients". Upload the required keys. Refer to the Administration Guide for detailed instructions. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab. Review each server with the DNS service enabled. Select each server, click "Edit". Select the "Zone Transfers" tab. Select either an existing Named ACL or configure a new Set of ACEs to limit client DDNS. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. Perform a service restart if necessary.

Fix Text (F-74665r1_fix)

Infoblox Systems can be configured in two ways to limit DDNS client updates.

For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled.
Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG.
Configure the option "Enable GSS-TSIG authentication of clients".
Upload the required keys. Refer to the Administration Guide for detailed instructions.

For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled.
Select each server, click "Edit".
Select the "Zone Transfers" tab.
Select either an existing Named ACL or configure a new Set of ACEs to limit client DDNS.
When complete, click "Save & Close" to save the changes and exit the "Properties" screen.

Perform a service restart if necessary.