The Infoblox system must prohibit or restrict unapproved services, ports, and protocols.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-233897	IDNS-8X-400039	SV-233897r621666_rule		Medium

Description
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Infoblox systems provide DNS, Dynamic Host Configuration Protocol (DHCP), and IP Address Management (DDI) services. Some of the functions and services provided may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., DNS and DHCP); however, doing so increases risk over limiting the services provided by any one component. This risk may be increased depending on placement in the network. Internal systems often provide DNS and DHCP; however, external systems or those in a DMZ provide only DNS.

Description

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Infoblox systems provide DNS, Dynamic Host Configuration Protocol (DHCP), and IP Address Management (DDI) services. Some of the functions and services provided may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., DNS and DHCP); however, doing so increases risk over limiting the services provided by any one component. This risk may be increased depending on placement in the network. Internal systems often provide DNS and DHCP; however, external systems or those in a DMZ provide only DNS.

STIG	Date
Infoblox 8.x DNS Security Technical Implementation Guide	2021-01-11

Details

Check Text ( C-37082r611211_chk )
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. By default, all services other than those required for management are disabled. Validate that no additional services have been enabled for DNS members. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab and review each service and member status at the top of the panel. Depending on purchased options, Infoblox DNS members may be running DNS and optionally running services supporting DNS and security operations such as DNS Traffic Control, Threat Protection, Threat Analytics, and TAXII services. Use of these additional Infoblox services is not a finding. If any unnecessary services such as file distribution services are enabled on the DNS members, this is a finding. Note: Once DNSSEC is enabled, the DNS service will be required to be running on the Grid Master, and it will be placed into stealth mode.

Check Text ( C-37082r611211_chk )

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable.

By default, all services other than those required for management are disabled. Validate that no additional services have been enabled for DNS members.

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration.
2. Select the "Services" tab and review each service and member status at the top of the panel.

Depending on purchased options, Infoblox DNS members may be running DNS and optionally running services supporting DNS and security operations such as DNS Traffic Control, Threat Protection, Threat Analytics, and TAXII services.

Use of these additional Infoblox services is not a finding.

If any unnecessary services such as file distribution services are enabled on the DNS members, this is a finding.

Note: Once DNSSEC is enabled, the DNS service will be required to be running on the Grid Master, and it will be placed into stealth mode.

Fix Text (F-37047r611212_fix)
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab. 3. Select each available service at the top of the panel and review the service status. 4. Click on the member and disable unnecessary services.