UCF STIG Viewer Logo

Infoblox 7.x DNS Security Technical Implementation Guide


Overview

Date Finding Count (67)
2020-12-10 CAT I (High): 3 CAT II (Med): 61 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-214201 High The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
V-214207 High Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
V-214224 High Infoblox systems must be configured with current DoD password restrictions.
V-214189 Medium A DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries.
V-214188 Medium A DNS server implementation must provide data origin artifacts for internal name/address resolution queries.
V-214181 Medium An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC.
V-214180 Medium The Infoblox system must be configured to activate a notification to the system administrator when a component failure is detected.
V-214183 Medium The Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
V-214182 Medium The Infoblox system must be configured to provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
V-214185 Medium Recursion must be disabled on Infoblox DNS servers which are configured as authoritative name servers.
V-214187 Medium The DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.
V-214186 Medium The Infoblox system must authenticate the other DNS server before responding to a server-to-server transaction.
V-214208 Medium For zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.
V-214209 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
V-214214 Medium The Infoblox NIOS version must be at the appropriate version.
V-214202 Medium The Zone Signing Key (ZSK) rollover interval must be configured to less than two months.
V-214203 Medium NSEC3 must be used for all internal DNS zones.
V-214200 Medium The DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
V-214206 Medium An authoritative name server must be configured to enable DNSSEC Resource Records.
V-214204 Medium The Infoblox system must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.
V-214205 Medium All authoritative name servers for a zone must be located on different network segments.
V-214167 Medium The Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
V-214166 Medium Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.
V-214165 Medium Only the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.
V-214164 Medium Infoblox systems which are configured to perform zone transfers to non-Grid name servers must utilize transaction signatures (TSIG).
V-214220 Medium The Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-214161 Medium The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.
V-214160 Medium Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
V-214169 Medium A DNS server implementation must provide the means to indicate the security status of child zones.
V-214168 Medium The Infoblox system must be configured to provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.
V-219058 Medium All authoritative name servers for a zone must be geographically disbursed.
V-214198 Medium The DNS server implementation must maintain the integrity of information during reception.
V-214212 Medium The DNS implementation must implement internal/external role separation.
V-214225 Medium The DHCP service must not be enabled on an external authoritative name server.
V-214226 Medium A secure Out Of Band (OOB) network must be utilized for management of Infoblox Grid Members.
V-214199 Medium The DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
V-214196 Medium The Infoblox system must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
V-214197 Medium The DNS server implementation must maintain the integrity of information during preparation for transmission.
V-214194 Medium A DNS server implementation must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.
V-214192 Medium A DNS server implementation must request data integrity verification on the name/address resolution responses the system receives from authoritative sources.
V-214193 Medium A DNS server implementation must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.
V-214190 Medium A DNS server implementation must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
V-214191 Medium A DNS server implementation must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.
V-214215 Medium The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
V-214163 Medium Infoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols.
V-214217 Medium The platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.
V-214216 Medium The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
V-214211 Medium The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.
V-214210 Medium In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
V-214213 Medium The Infoblox system must utilize valid root name servers in the local root zone file.
V-214162 Medium The Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
V-214174 Medium Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers.
V-214175 Medium Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.
V-214176 Medium Infoblox DNS servers must be configured to protect the authenticity of communications sessions for queries.
V-214177 Medium In the event of a system failure, The Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-214170 Medium The Key Signing Key (KSK) rollover interval must be configured to no less than one year.
V-214172 Medium A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
V-214171 Medium The Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.
V-214223 Medium Infoblox Grid configuration must be backed up on a regular basis.
V-214178 Medium The Infoblox system must be configured to restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.
V-214179 Medium The Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-214195 Medium The Infoblox system must be configured to must protect the integrity of transmitted information.
V-214219 Medium CNAME records must not point to a zone with lesser security for more than six months.
V-214218 Medium The private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
V-214221 Low The Infoblox system must be configured to display the appropriate security classification information.
V-214159 Low Infoblox systems which perform zone transfers to non-Infoblox Grid DNS servers must be configured to limit the number of concurrent sessions for zone transfers.
V-214222 Low The Infoblox system must be configured with the approved DoD notice and consent banner.