Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify inbound and outbound zone transfer limits are configured. These values control the amount of concurrent zone transfers to non-Grid DNS servers. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab. 4. Verify zone transfer limitations are configured. 5. When complete, click "Cancel" to exit the "Properties" screen. If zone transfer limits are not configured for non-Infoblox grid name servers, this is a finding.
1. Navigate to Data Management >> DNS >> Members tab. 2. Click "Edit" to review each member with the DNS service status of "Running". 3. Toggle Advanced Mode and select General >> Advanced tab. 4. Configure both inbound and outbound zone transfer to appropriate values. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.
Infoblox can be configured in two ways to limit DDNS client updates. 1. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members tab. a. Review each server with the DNS service enabled. b. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. c. Verify that "Enable GSS-TSIG authentication of clients" is enabled. 2. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members tab. a. Review each server with the DNS service enabled. Select each server and click "Edit". b. Select the "Updates" tab. Verify that either a Named ACL or Set of ACEs are defined to limit client DDNS. 3. When complete, click "Cancel" to exit the "Properties" screen. If "Enable GSS-TSIG authentication of clients" is disabled for clients supporting GSS-TSIG, or a Named ACL or Set of ACEs is not defined to limit DDNS for clients without GSS-TSIG support, this is a finding.
Infoblox can be configured in two ways to limit DDNS client updates. Refer to the Administrator Guide for detailed instructions if necessary. 1. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members tab. a. Review each server with the DNS service enabled. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. b. Configure the option "Enable GSS-TSIG authentication of clients". c. Upload the required keys. 2. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members tab. a. Review each server with the DNS service enabled. b. Select each server and click "Edit". c. Select the "Updates" tab. Enable an existing Named ACL or configure a new set of ACEs to limit client DDNS. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.
Review external DNS zone data and verify there are no HINFO, LOC, RP, or TXT RRs that disclose any information that may be used for malicious purposes. 1. Navigate to Data Management >> DNS >> Zones tab. 2. Click on the appropriate DNS Zone. 3. Review external zone data for HINFO, LOC, RP, and TXT RRs. If any HINFO, LOC, RP, or TXT RRs exist that disclose any information that may be used for malicious purposes, this is a finding.
1. Navigate to Data Management >> DNS >> Zones. 2. Select and edit the zone identified during the Check. 3. Select the RR and click "Delete" to remove the record.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. If "Log to External Syslog Servers" is enabled, an External Syslog Server must be configured. 4. Verify that "Copy Audit Log Message to Syslog" is enabled. 5. Verify that log messages are received on the remote system. If no external SYSLOG server is available, verify local procedure to retain audit logs. Logs can be downloaded by navigating to Administration >> Logs >> Audit Log tab and pressing the "Download" button. When complete, click "Cancel" to exit the "Properties" screen. If an external SYSLOG server is not configured or a local policy is not in place to store audit logs, this is a finding.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. Enable "Log to External Syslog Servers" and configure an "External Syslog Server". 3. Enable the checkbox "Copy Audit Log Message to Syslog". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary. 6. Review Infoblox audit records on the remote SYSLOG server to validate operation.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. Review the name server (NS) records for each zone hosted and confirm that each authoritative name server is located at a different physical location than the remaining name servers. 4. Infoblox supports designation as a "stealth" name server, which will not have an NS record. If all name servers for which NS records are published within a zone are not physically at different locations, this is a finding.
Configure the authoritative name servers to be geographically disbursed.
1. Navigate to Data Management >> DNS >> Members tab. 2. Select each grid member configured in an authoritative role and click "Edit". 3. Review the "Queries" tab. 4. Verify that "Allow Recursion" is not enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. If recursion is not disabled on an authoritative name server, this is a finding.
1. Navigate to Data Management >> DNS >> Members tab. 2. Select the "Queries" tab and disable recursion by clearing the "Enable Recursion" check box. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on the "DNSSEC" tab, and review the "Signature Validity" setting. 3. Validate that the Signature Validity is configured for a range of no less than two days and no more than one week. 4. When complete, click "Cancel" to exit the "Properties" screen. If the "Signature Validity" period is less than two days or greater than one week, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on the "DNSSEC" tab, and edit the "Signature Validity" setting to a period between two days and one week. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Any zones that used an incorrect value should perform a ZSK rollover to update the inception and expiration dates with the new value. 5. Navigate to Data Management >> DNS and select the "Zones" tab. 6. Using the zone selection check boxes and the DNSSEC drop-down menu, select "Rollover Zone-Signing Key". 7. When prompted, select "Roll Over". 8. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Review the zone configuration and confirm that, if DNSSEC is enabled NSEC3 is used. 2. Navigate to Data Management >> DNS >> Grid DNS Properties. Toggle Advanced Mode and review the "DNSSEC" tab. 3. Ensure "Resource Record Type for Nonexistent Proof" is set to NSEC3. 4. When complete, click "Cancel" to exit the "Properties" screen. 5. Review zone data or use Global Search string ".". Type "Equals NSEC Record" to verify no undesired NSEC records exist. If NSEC records exist in an active zone, or NSEC3 is not configured, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Toggle Advanced Mode and edit the "DNSSEC" tab. 3. Ensure "Resource Record Type for Nonexistent Proof" is set to NSEC3. 4. Re-sign all DNSSEC zones that previously used NSEC.
Verify that NS resource records in all active zones point to an operational name server. 1. Navigate to Data Management >> DNS >> Zones 2. Select the zone to review. 3. Select the "Name Servers" tab. 4. If the option "Use this Name Server Group" is active, note the group name used. Click "Cancel" and select the "Name Server Groups" tab to review the name server group. 5. Examine each NS record and name server configuration. 6. Verify that the IP address for each NS record points to an operational name server. 7. Click "Cancel" to exit the "Properties" screen. If a name server resource record points to an IP that is not an operational name server, this is a finding.
1. Navigate to Data Management >> DNS >> Zones. 2. Select and edit the zones containing incorrect NS record configurations. 3. Select the "Name Servers" tab. 4. If the option "Use this Name Server Group" is active, note the group name used. Click "Cancel" and select the "Name Server Groups" tab to edit the name server group. 5. Remove or update any incorrect NS records or name server configuration. 6. If the option "Use this set of name servers" is active, remove or update any incorrect NS records or name server configuration. 7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 8. Perform a service restart if necessary.
Review the DNS configuration to determine all of the name server (NS) records for each zone. Based on the NS records for each zone and network architecture, determine the location of each of the name servers. 1. Navigate to Data Management >> DNS >> Zones. 2. Select the zone to review. 3. Select the "Name Servers" tab. If all authoritative name servers are not located on different network segments, this is a finding.
1. Navigate to Data Management >> DNS >> Zones. 2. Review zone settings by selecting each zone and reviewing the "Name Servers" tab to ensure all name servers are located on different network segments.
Review DNS zone data to validate the SOA on all authoritative DNS servers. Remote name servers that do not have the same serial number as the primary name server may have network issues or misconfiguration blocking updates. Use either the "nslookup" or "dig" utility to review the serial number returned from each name server. Example: Using the "dig" utility, enter the command line as follows: "dig @NAMESERVER-IP ZONE SOA". $ dig @192.168.0.1 blue.org SOA ;; ANSWER SECTION: blue.org. 28800 IN SOA ns.blue.org. postmaster.blue.org. 20200922 10800 3600 2419200 900 The SOA RR specifies the serial number as the third RDATA field; in this example, it is 20200922. If any serial numbers for the same zone do not match, this is a finding.
Serial numbers are updated automatically when changes are made to a zone through the Infoblox Grid, as well as through the notify process for external DNS servers. If a serial number mismatch is discovered, troubleshooting of both server configurations and network will be required. Protocol configuration issues will be logged in the Infoblox Grid Members SYSLOG. 1. Navigate to Administration >> Logs >> Syslog. 2. Infoblox Grid Members can be selected using the drop-down menu. 3. Stand-alone systems will not display a drop-down menu; the log data will be displayed automatically. 4. Review the SYSLOG data and resolve the issue that is preventing updates.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Validate that DNSSEC is enabled using the check box. 4. When complete, click "Cancel" to exit the "Properties" screen. If "Enable DNSSEC" is not configured, this is a finding.
DNSSEC must be enabled prior to zone signing. 1. Enable by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable the "Enable DNSSEC" option. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. For Infoblox Grids that run in FIPS mode, this requirement is Not Applicable. 1. Review FIPS requirements to ensure the proper algorithms are used. 2. Navigate to Data Management >> DNS >> Grid DNS properties. 3. Toggle Advanced Mode and click on the "DNSSEC" tab. 4. Validate that all Key Signing Keys (KSKs) and ZSKs use FIPS-approved algorithms. 5. When complete, click "Cancel" to exit the "Properties" screen. If FIPS-approved algorithms are not used for the KSKs and ZSKs, this is a finding. If DSA is used, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Follow manual key rollover procedures and update all non-compliant KSKs and ZSKs to use FIPS-approved algorithms.
DNS Views allow a single zone to have two different data sets, with the response based on a client match list. 1. When DNS Views are used, the top-level configuration of DNS >> Data Management >> Zones tab will display available views. 2. Select the desired view using the check box and click "Edit". 3. Review the "Match Clients" configuration. 4. Verify the "Match Clients" configuration properly separates the internal and external DNS views. If DNS Views are used and the client match list is validated, this is not a finding.
1. Navigate to Data Management >> DNS >> Zones and review each zone. 2. Remove any RRs listed in the internal name server configuration (DNS view) that resolve for external hosts. 3. Remove any RRs listed in the external name server configuration (DNS view) that resolve to internal hosts. 4. For hosts intended to be accessed by both internal and external clients, configure unique IP addresses in each of the internal and external name servers, respective to their location. 5. The perimeter firewall, or other routing device, must be configured to perform Network Address Translation to the true IP address of the destination.
Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to verify that external name servers are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.
1. Navigate to Data Management >> DNS >> Members tab. 2. Select the Grid member identified as running the DNS service and click "Edit". 3. Enable and configure either an Access Control List (ACL) or set of Access Control Entries (ACE). 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to verify that external name servers are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.
1. Navigate to Data Management >> DNS >> Members tab. 2. Select the Grid member identified as running the DNS service and click "Edit". 3. Enable and configure either an Access Control List (ACL) or Set of Access Control Entries (ACE). 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Infoblox Grid members do not use DNS zone transfers to exchange DNS data within a single Grid. Communication between Grid members is via a distributed database over a secure Virtual Private Network (VPN). 1. Navigate to the Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. Note all external DNS servers, those NOT identified as Type "Grid" (Primary or Secondary). 4. Click the "Zone Transfers" tab. 5. Verify that only the external non-Grid DNS servers identified as name servers for the zone or authorized stealth servers are the only systems authorized to perform zone transfers as authorized by a "Named ACL" or "Set of ACEs". 6. When complete, click "Cancel" to exit the "Properties" screen. If Access Controls Lists (ACLs) are not configured for zone transfers to external non-Grid servers, this is a finding.
1. Navigate to the Data Management >> DNS >> Zones tab. 2. Select the zone and click "Edit". Select the "Zone Transfers" tab and configure access control (ACL or Access Control Entries [ACE]) on each grid member that communicates with an external secondary. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.
Infoblox NIOS uses a robust permission structure that provides for granular configuration of user access to the administrative interface. Review the Infoblox Overview document for more information on access control and inheritance, and the Administrator Guide for comprehensive information. 1. Navigate to Administration >> Administrators. Review the "Authentication Policy" tab, which will display the authentication methods and order. 2. Review the "Admins", "Groups", "Roles", and "Permissions" tabs to display the specific accounts, roles, and permissions. 3. Verify the local assignment policy against the configured accounts. If an access policy limiting propagation of access rights is not configured, or the Infoblox system is not configured in accordance with local access policy, this is a finding.
1. Review the Infoblox Administrator Guide for comprehensive instructions if necessary. 2. Navigate to Administration >> Administrators tab. 3. Edit the "Admins", "Groups", "Roles", "Permissions", and "Authentication Policy" tabs and set to the desired permissions.
Review the Infoblox Grid configuration and network architecture to verify that the appropriate zones are served by the correct internal or external member(s). 1. Navigate to Data Management >> DNS >> Zones tab. Review the usage of DNS Views as necessary. 2. If DNS Views are used, review each DNS View Client Match list using the "Edit" function. 3. Select the "Members" tab. 4. Review each zone and member assignment to ensure it is configured correctly with respect to its network assignment. 5. When complete, click "Cancel" to exit the "Properties" screen. If an external server contains internal data, or vice versa, this is a finding.
1. Navigate to Data Management >> DNS >> Zones and Members. 2. Modify the zone name server assignment as necessary to ensure role separation. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.
Review the Root Name Servers configured and validate that the entries are correct. "G" and "H" root servers are required on the NIPRNet as a minimum. Note: Validate against the current available DNS root list at the time of check. 1. Validate the current root name server list using external tools at the time of the check. 2. Navigate to Data Management >> DNS >> Grid DNS Properties. 3. Toggle Advanced mode and review the "Root Name Servers" tab to ensure it is configured correctly. If valid root name servers are not configured, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Toggle Advanced mode and select the "Root Name Servers" tab. 3. Use the radio button to select "Use custom root name servers" and configure the desired root name servers. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Infoblox systems use a modified version of BIND DNS software, which adds features and addresses security issues outside of those provided by ISC. Infoblox systems are provided as a hardened appliance and do not allow user access or upgrading of any software components, including BIND. The Infoblox support portal and release notes are the authoritative sources to validate version and applicability of vulnerabilities. 1. Verify the NIOS version by reviewing the "Grid, Upgrade" tab to show that all members are at the current version. 2. Use the Infoblox support portal to obtain current version information. If the Infoblox NIOS version is not currently under support maintenance or is not at the current approved version level, this is a finding.
Refer to the Infoblox NIOS Administrator Guide if necessary. 1. Log on to the Infoblox support portal and download the current version of NIOS. 2. Perform a Grid upgrade.
Verify that the Infoblox Grid Master is not configured to service DNS requests from clients. 1. Navigate to Data Management >> DNS >> Zones. 2. Review each zone by selecting the zone, clicking "Edit", and selecting the "Name Servers" tab. If the Grid Master is a listed name server and not marked "Stealth", this is a finding.
For each zone that is not in compliance: 1. Navigate to Data Management >> DNS >> Zones. 2. Reconfigure the "Name Servers" tab and modify the Grid Master by selecting "Stealth". 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.
By default, all services other than those required for management are disabled on Infoblox appliances. Review the Infoblox Grid for extra services turned on. Note: Configuration of out-of-band (OOB) management can be enabled to separate DNS from management traffic if desired. 1. Navigate to Grid >> Grid Manager >> Services tab. 2. Click on each service that is running and review the Service Status of each member. Note: Depending on purchased options, Infoblox DNS members may be running DNS, and optionally services supporting DNS and security operations such as DNS Traffic Control, Threat Protection, Threat Analytics, and TAXII services. Use of these additional Infoblox services is not a finding. If an external authoritative server is running any unnecessary services such as file distribution services, this is a finding.
1. Navigate to Grid >> Grid Manager >> Services tab. 2. Click on each service that is running and review the Service Status of each member. 3. Click on the member and select "Stop" to disable the unnecessary service.
Verify the default Infoblox configuration to use random ports is not overridden at either the global or member level. Global-Level check: 1. Navigate to Data Management >> DNS Edit Grid DNS Properties, or System DNS Properties on a stand-alone system. 2. Toggle Advanced Mode and select the General >> Advanced tab. 3. Verify that the options under "Source Port Settings", "Set static source UDP port for queries (not recommended)", and "Set static source UDP port for notify messages" use the default value of "not enabled". 4. When complete, click "Cancel" to exit the "Properties" screen. Member-Level check: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab. 4. Verify that the options under "Source Port Settings", "Set static source UDP port for queries (not recommended)", and "Set static source UDP port for notify messages" use the default value of "not enabled". 5. When complete, click "Cancel" to exit the "Properties" screen. If configuration of either of these values exists, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS Properties, or System DNS properties on a stand-alone system. 2. Toggle Advanced Mode and select General >> Advanced tab. Disable "Set static source UDP port for queries (not recommended)" and "Set static source UDP port for notify messages". 3. Navigate to Data Management >> DNS >> Members tab. 4. Review each Infoblox member with the DNS service enabled. 5. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab. 6. Locate the section labeled "Source port settings" and click "Override" to use the Grid default values that disable static source ports. 7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 8. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. By default, KSK and ZSK private keys are stored on the Grid Master within the Infoblox database. No clients should be permitted to use the Grid Master DNS service. 1. Navigate to Data Management >> DNS >> Zones. 2. Review each zone by selecting the zone and clicking "Edit" and selecting the "Name Servers" tab. If the Grid Master is a listed name server and not marked "Stealth", this is a finding. If a Hardware Security Module (HSM) is configured, KSK and ZSK private keys are encrypted and stored on the HSM, this is not a finding.
For each zone that is not in compliance: 1. Navigate to Data Management >> DNS >> Zones. 2. Select and edit the zone. 3. Select the "Name Servers" tab and modify the Grid Master by selecting "Stealth". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Infoblox DNS records the creation date of every resource record, including CNAME records in the system, and the TimeStamp is attached to the CNAME object. Infoblox can also record the date of the last time this record was used or queried. CNAME records can be removed by the administrator when they reach their six-month maturity date. 1. Navigate to Grid Manager >> Administration >> Logs >> Audit Log. Click "Show Filter" if it is not already displayed. 2. Create a new search using "Object Type equals CNAME Record". 3. Click the plus symbol to add a second search parameter. 4. Create an additional search parameter, "Timestamp before YYYY-MM-DD", using the calendar selection box to choose the appropriate date six months prior to the current date. 5. Click "Apply" to display CNAME records created more than six months ago. If there are zone-spanning CNAME records older than six months and the CNAME records resolve to anything other than fully qualified domain names for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with an AO-approved and documented mission need, this is a finding.
1. Navigate to Data Management >> DNS >> Zones. 2. Edit the zone containing CNAME records discovered during review of the Audit Log. 3. Remove any zone-spanning CNAME records that have been active for more than six months.
Infoblox systems are secure by design and use a number of access controls to prevent unauthorized usage. Infoblox systems are purpose built and do not provide privileged "root" level access, nor are they distributed as general purpose operating systems. By default all services including DNS are disabled on Infoblox systems. Services are enabled only as a result of administrator action. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab. 3. Review the enabled services. If any unnecessary services are running on Infoblox systems, this is a finding.
Review network architecture and system configuration to ensure use of a defense-in-depth architecture that uses secure out-of-band management. Review system configuration to ensure that all administrators are properly authorized for the functions allowed through system rights. 1. Validate that both SRG and STIG DNS guidance is properly applied. 2. Navigate to Grid >> Grid Manager >> Services tab. 3. Click on each service that is running and review the "Service Status" of each member. 4. Click on the member and select "Stop" to disable the unnecessary service.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Grid >> Grid Manager >> Members tab. 2. Review the Grid Master network configuration and verify placement on an OOB network. 3. Review services enabled on the Grid Master and verify that no client services are enabled. 4. The only acceptable service allowed is DNS when the Grid uses DNSSEC signed zones. The Grid Master must have DNS enabled to sign DNSSEC zones. If DNSSEC is enabled, verify that the Grid Master is marked as "Stealth" for any zone. If an Infoblox Grid Member does not use the MGMT port for configuration through an OOB connection, this is a finding.
1. Navigate to Grid >> Grid Manager >> Members tab. 2. Edit each member and configure the MGMT port on the "Network" tab and enable VPN over MGMT on the "Advanced" portion of the "Network" tab. 3. Grid Masters and Grid Master candidates use the LAN1 port for communication and should not allow any direct client access.
1. Navigate to Administration >> Administrators >> Authentication Policy. 2. If the only authentication type under "Authenticate users in this order" is "Local User Database", perform the following additional validation: 3. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 4. Select the "Password" tab. 5. Verify the settings are configured in accordance with current DoD Policy. If the Infoblox system is configured to use a remote authentication system (Active Directory, RADIUS, TACACS+, or LDAP) that enforces password policy, or the password settings meet current guidance, this is not a finding.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Password" tab. 3. Configure the system with appropriate values for password length, complexity, and expiration requirements.
1. Navigate to Grid >> Grid Manager >> Members tab. 2. In the toolbar, click the drop-down menu for "Backup", "Schedule Backup". 3. Verify configuration of a remote backup option (TFTP, FTP, or SCP). Review the existence of backup files on the remote system. If a remote backup system is not configured, or a local backup procedure is not documented, this is a finding. If no remote or local backup is configured, but the Grid contains a Grid Master candidate, the severity of the finding is reduced.
1. Navigate to Grid >> Grid Manager >> Members tab. 2. In the toolbar, click the drop-down menu for "Backup", "Schedule Backup". Configure remote backup to TFTP, FTP, or SCP. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary. 5. Review the existence of backup files on the remote system.
Navigation to the HTTPS interface on the Grid Master using a web browser will display the current DoD banner. 1. If an administrator is currently logged in, click on the drop-down menu adjacent to the administrator's name in the upper right side and select "Logout". 2. Open a new session to the Infoblox system and review the banner presented. 3. The banner text of the document MUST read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the correct banner is not displayed, this is a finding.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties on a stand-alone system. 2. Toggle Advanced mode. Select "Security", "Advanced" tab. 3. Click "Enable Notice and Consent Banner". 4. Use the text box to enter the appropriate banner. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Administrators should log out and close the web browser. 7. It may be necessary to clear the web browser cache for the banner to display or update on a session opened shortly after reconfiguration.
1. Log on to the Infoblox Grid Master or stand-alone system. 2. The appropriate security classification color and text must be displayed on the top of each configuration screen. 3. The output will also contain the text "Dynamic Page - Highest Possible Classification Is" and a colored bar associated with the classification. 4. Additional text may appear if configured by the administrator. If the security classification color and text are not displayed at the top of each configuration screen, this is a finding.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Security", "Advanced" tab. Click "Enable Security Banner". 3. Use the drop-down menus to select the Security Level and Security Level Color appropriate for each level. 4. Additional text can be entered if required by DoD or local policy. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Administrators should log out and close the web browser. 7. It may be necessary to clear the web browser cache for the banner to display or update on a session opened shortly after reconfiguration.
Infoblox systems are secure by design and use a number of access controls to prevent unauthorized usage. Infoblox systems are purpose built and do not provide privileged "root" level access, nor are they distributed as general purpose operating systems. By default, all services including DNS are disabled on Infoblox systems. Services are enabled only as a result of administrator action. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab. 3. Review the enabled services. If any unnecessary services are running on Infoblox systems, this is a finding.
Review network architecture and system configuration to ensure use of a defense-in-depth architecture that uses secure out-of-band management. Review system configuration to ensure all administrators are properly authorized for the functions allowed through system rights. Validate that both SRG and STIG DNS guidance is properly applied. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab. 3. Click on each service that is running and review the "Service Status" of each member. 4. Click on the member and select "Stop" to disable the unnecessary service.
Configuration of the SSL/TLS cipher suite is performed on the Grid Master, or the stand-alone system using the CLI. 1. Use the following commands to display the status and configuration: show ssl_tls_settings show ssl_tls_protocols show ssl_tls_ciphers 2. Review the output from "show ssl_tls_ciphers" and note those marked as "enabled". 3. Compare this to the list of currently approved ciphers. DISA recommends: Ciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA256 Protocols: TLSv1.2 If any unapproved cipher suites are enabled, this is a finding.
1. Close all existing HTTPS management sessions and log on to the Grid Master, or the stand-alone system using the CLI. 2. Use the following command to display the status: "show ssl_tls_settings". 3. If the output shows "default", the system administrator must first override the default settings to enable editing using the following command: "set ssl_tls_settings override". 4. For each cipher suite to be disabled, use the following procedure. Identify the numerical designation of the cipher suite using: "show ssl_tls_ciphers". 5. Use the following command to disable, replacing NNN with the appropriate number: "set ssl_tls_ciphers disable NNN". 6. Repeat this procedure to disable unapproved cipher suites. The numerical list will be reordered each time it is modified and requires careful validation. 7. In addition to specific cipher suites, a set of SSL/TLS protocols can also be enabled or disabled as desired. 8. Review the output from "show ssl_tls_protocols" from the Check procedure. 9. Use the CLI command: "set ssl_tls_protocols disable TLSv1.0", to disable TLS v1.0. 10. Use the CLI command: "set ssl_tls_protocols disable TLSv1.1", to disable TLS v1.1. 11. Use the "show ssl_tls_settings" and show "ssl_tls_protocols" commands to ensure compliance. 12. Using an approved web browser, verify functionality if protocol or TLS settings were modified. Refer to the Infoblox CLI Guide for additional information if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. Validate that DNSSEC validation is enabled: 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. Validate that DNSSEC validation is enabled: 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.
It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration and time synchronization before starting this procedure. 1. Navigate to Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". Click on "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary. 6. Verify zone transfers are operational after configuration of TSIG.
Infoblox systems allow configuration of DNS auditing based on selectable events. Verify that important event categories are enabled to log events. 1. Navigate to Data Management >> DNS and select "Grid DNS Properties". 2. Toggle Advanced Mode and review the "Logging" tab. 3. Validate that at a minimum the following categories are enabled: client config database dnssec lame servers network notify rate-limit resolver security transfer-in transfer-out update update-security 4. When complete, click "Cancel" to exit the "Properties" screen. If the named logging categories are not enabled, this is a finding.
1. Navigate to Data Management >> DNS. Select "Grid DNS Properties". 2. Toggle Advanced Mode and review the "Logging" tab. 3. Enable the following categories using the check boxes: client config database dnssec lame servers network notify rate-limit resolver security transfer-in transfer-out update update-security 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Infoblox systems are capable of providing notifications via remote SYSLOG, SNMP, and SMTP. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Verify that "Log to External Syslog Servers" is enabled and an External Syslog Server is configured. 4. When complete, click "Cancel" to exit the "Properties" screen. If no external notifications are enabled, this is a finding.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the Monitoring tab. 3. Enable "Log to External Syslog Servers" using the check box. 4. Configure an "External Syslog Server". 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Review the SYSLOG data on the remote SYSLOG server to validate operation.
Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to validate external name servers are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". 4. Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.
1. Refer to the Infoblox NIOS Administrator Guide, Chapters "Deploying a Grid", and "Configuring DNS Zones", section "Assigning Zone Authority to Name Servers", if necessary. 2. Configure a Grid Master Candidate or define a local policy to re-role a secondary name server.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. By default, all services other than those required for management are disabled. Validate that no additional services have been enabled for DNS members. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab and review each service and member status at the top of the panel. Depending on purchased options, Infoblox DNS members may be running DNS and optionally running services supporting DNS and security operations such as DNS Traffic Control, Threat Protection, Threat Analytics, and TAXII services. Use of these additional Infoblox services is not a finding. If any unnecessary services such as file distribution services are enabled on the DNS members, this is a finding. Note: Once DNSSEC is enabled, the DNS service will be required to be running on the Grid Master, and it will be placed into stealth mode.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab. 3. Select each available service at the top of the panel and review the service status. 4. Click on the member and disable unnecessary services.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.
Note that TSIG relies on both key and time synchronization. TSIG will fail if the local clocks on both names are not synchronized. 1. Navigate to Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Verify zone transfers are operational after configuration of TSIG.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. Verify that each zone that contains non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 4. When complete, click "Cancel" to exit the "Properties" screen. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". 3. Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 4. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 5. Verify that both the Infoblox and other DNS server have the identical TSIG configuration. 6. Verify that both the Infoblox and other DNS server have time synchronized properly. Note that TSIG relies on both key and time synchronization. TSIG will fail if the local clocks on both names are not synchronized. 7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 8. Perform a service restart if necessary. 9. Verify zone transfers are operational after configuration of TSIG.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If the all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.
Note that TSIG relies on both key and time synchronization. TSIG will fail if the local clocks on both names are not synchronized. 1. Navigate to the Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Verify zone transfers are operational after configuration of TSIG.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.
It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration and time synchronization before starting this procedure. 1. Navigate to the Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary. Verify zone transfers are operational after configuration of TSIG.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If the all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that all Name Servers of type Ext (Primary or Secondary) have a TSIG key configured. 5. Each zone that contains Ext non-Grid name servers must also be verified by inspection of the "Zone Transfers" tab and configuration of an Access Control Entry (ACE) that limits access to only the TSIG configured Name Servers. 6. When complete, click "Cancel" to exit the "Properties" screen. If there is an external non-Grid system that uses zone transfers but does not have a Name Server with a unique TSIG key, this is a finding.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Select a zone identified in the Check and click "Edit". 3. Click on the "Name Servers" tab and configure a unique TSIG key for each non-Grid Name Server, designated as type Ext. 4. Verify that the same TSIG key (Algorithm and Key Data) are configured on both name servers. 5. Click on the "Zone Transfers" tab. 6. If the Name Server configured above is not present, click "Override" for the "Allow Zone Transfers to" section. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure the Name Server configured above. 7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 8. Repeat for any other zones identified in the Check as non-compliant. 9. Perform a service restart if necessary. 10. Verify zone transfers are operational after configuration of TSIG. Note: HMAC-SHA256 is the preferred algorithm to generate TSIG keys and should be used unless the External name server only supports HMAC-MD5.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. By default, ZSK private keys are stored encrypted within the Infoblox database on the Grid Master. The Grid Master will by default enable the DNS service when DNSSEC is enabled for internal processing. No clients should be permitted to use the Grid Master DNS service. Refer to the Infoblox STIG Overview document for additional information on HSM usage. 1. Navigate to Data Management >> DNS >> Zones. 2. Review each zone by selecting the zone, clicking "Edit", and selecting the "Name Servers" tab. 3. When complete, click "Cancel" to exit the "Properties" screen. If the Grid Master is a listed name server and not marked "Stealth", this is a finding.
1. Navigate to Data Management >> DNS >> Zones. 2. Select the zone, click "Edit", and select the "Name Servers" tab. 3. Mark the Grid Master as "Stealth". 4. If no other name servers are listed, one must be added before the configuration can be valid. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. By default, Zone Signing Key (ZSK) private keys are stored encrypted within the Infoblox database on the Grid Master. The Grid Master will by default enable the DNS service when DNSSEC is enabled for internal processing. No clients should be permitted to use the Grid Master DNS service. Refer to the Infoblox STIG Overview document for additional information on HSM usage. 1. Navigate to Data Management >> DNS >> Zones. 2. Review each zone by selecting the zone, clicking "Edit", and selecting the "Name Servers" tab. 3. When complete, click "Cancel" to exit the "Properties" screen. If the Grid Master is a listed name server and not marked "Stealth", this is a finding.
1. Navigate to Data Management >> DNS >> Zones. 2. Select the zone, click "Edit", and select the "Name Servers" tab. 3. Mark the Grid Master as "Stealth". 4. If no other name servers are listed, one must be added before the configuration can be valid. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.
Review the configuration of external authentication methods to verify that multifactor authentication is enabled. 1. Navigate to Administration >> Administrators >> Authentication Policy. 2. Ensure multifactor authentication is enabled by validating that the multiple authentication methods are enabled and that the local database is the last entry in the list. 3. When complete, click "Cancel" to exit the "Properties" screen. If the aggregate authentication policy does not provide two or more factors, this is a finding.
Note: Refer to the Infoblox Administrator Guide for details on each type of authentication server. 1. Navigate to Administration >> Authentication Server Groups. 2. Configure at least one remote authentication group (OCSP, TACACS+, RADIUS, LDAP, or Active Directory). 3. Navigate to Administration >> Administrators >> Authentication Policy. 4. Configure the remote authentication source as primary by placing it at the top of the list. 5. If necessary, move the Local User Database entry to the bottom of the list so it is used last. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. Note: For Infoblox Grids that run in FIPS mode, this requirement is Not Applicable. Refer to the Administrator Guide for more information on FIPS Mode. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Validate that all Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs) use FIPS-approved algorithms. 4. When complete, click "Cancel" to exit the "Properties" screen. If non-FIPS-approved algorithms are in use, this is a finding.
Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Configure FIPS-compliant algorithms. 4. Follow manual key rollover procedures and update all non-compliant KSKs and ZSKs to use FIPS-approved algorithms.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on "DNSSEC" tab, and verify that "Enable DNSSEC" is enabled. 3. Navigate to Data Management >> DNS >> Zones. Verify that the "Signed" column is displayed. 4. Validate that all external authoritative zones are signed by displaying "Yes". 5. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC is not enabled and external authoritative zones are not signed, this is a finding.
Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Zones tab. 2. Place a check mark in the box next to the desired external authoritative zone. Using the "DNSSEC" drop-down menu in the toolbar, select "Sign zones". 3. Acknowledge the informational banner and the service restart banner if prompted.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Verify that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. Infoblox systems within a Grid configuration automatically publish DS records to the parent zone when the child zone is signed. If all name servers for parent and child zones are within an Infoblox Grid, this is not a finding. 1. Review the parent zones hosted on the Infoblox server for which the child zone is on the same Infoblox Grid. 2. Verify that each zone includes the DS records for the child zone. If DS records are not published in the parent zone for DNSSEC signed zones, this is a finding.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Select the parent zone and use the DNSSEC drop-down menu to select "Import Keyset". 3. Add the child zone DS resource records (RRs) and select "Import". 4. Click "Save" and "Close".
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on "DNSSEC" tab, and review the "Signature Validity" setting. 3. Validate that the Signature Validity is configured for a range of no less than two days and no more than one week. 4. When complete, click "Cancel" to exit the "Properties" screen. If the Signature Validity period is less than two days or greater than one week, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on "DNSSEC" tab, and edit the "Signature Validity" setting to a period between two days and one week. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Any zones that used an incorrect value should perform a ZSK rollover to update the inception and expiration dates with the new value. 5. Navigate to Data Management >> DNS and select the "Zones" tab. 6. Using the zone selection check boxes and the DNSSEC drop-down menu, select "Rollover Zone-Signing Key". 7. When prompted, select "Roll Over". 8. Perform a service restart if necessary.
Review the configuration of Infoblox DNS systems and verify that communication flow is validated. 1. Review the Infoblox DNS configuration to verify that only approved communications are allowed. 2. Use of Access Control Lists to control clients, DNS zone transfer configuration to systems external to the Infoblox Grid, and Grid member configuration can be used to control communications as desired. Infoblox systems within the same Grid use internal database updates and do not perform zone transfers. If all systems are within the same Infoblox Grid, this is not a finding. If the Infoblox system is configured to perform zone transfers to non-Grid systems, access control must be used. Otherwise, this is a finding.
Zone transfers can be restricted at the Grid, Member, and Zone level. Configuration is inherited and can be overridden if necessary to construct the appropriate access control. Refer to the Infoblox Administrator Guide if necessary. 1. Grid-level configuration: Navigate to Data Management >> DNS >> Zones tab. 2. Click "Grid DNS Properties" and toggle Advanced Mode. 3. Member-level configuration: Navigate to Data Management >> DNS >> Members tab. 4. Click "Edit" to review each member with the DNS service status of "Running". 5. Zone-level configuration: Navigate to Data Management >> DNS >> Zones tab. 6. Select the "Zone Transfers" tab. 7. Click "Override" to set permissions for "Allow zone transfers to". 8. Configure IPv4 and IPv6 networks, addresses, and TSIG keys to restrict zone transfers.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. The Authoritative Check applies to external-facing authoritative zones: 1. Navigate to Data Management >> DNS >> Zones. Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the "Zones" tab. 2. Verify that external authoritative zones are DNSSEC signed. Recursive Check: 1. Navigate to Data Management >> DNS. Edit "Grid DNS Properties", toggle Advanced Mode, and select the DNSSEC tab. 2. Validate that both "Enable DNSSEC" and "Enable DNSSEC Validation" options are enabled. 3. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC is not used for authoritative DNS and enabled for recursive clients, this is a finding.
Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. Authoritative Fix: 1. Navigate to Data Management >> DNS >> Zones. 2. Select the appropriate zone using the check box. From the "DNSSEC" drop-down menu, select "Sign Zones". 3. Follow prompts to acknowledge zone signing. 4. Perform a service restart if necessary. Recursive Fix: 1. Navigate to Data Management >> DNS >> Zones. 2. Edit "Grid DNS Properties", toggle Advanced Mode, and select the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC Validation" options. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If all name server entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.
1. Navigate to Data Management >> DNS >> Zones tab. Select a zone and click "Edit". 2. Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration and time synchronization. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Verify zone transfers are operational after configuration of TSIG.
Infoblox Systems can be configured in two ways to limit DDNS client updates. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Verify that "Enable GSS-TSIG authentication of clients" is enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Verify that either a Named ACL or set of Access Control Entries (ACEs) is used to limit client DDNS updates. 6. When complete, click "Cancel" to exit the "Properties" screen. If clients that support GSS-TSIG do not have "Enable GSS-TSIG authentication of clients" set or a named ACL or set of ACEs for clients that do not support GSS-TSIG, this is a finding.
Infoblox Systems can be configured in two ways to limit DDNS client updates. Refer to the Administrator Guide for detailed instructions. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Configure the option "Enable GSS-TSIG authentication of clients". 5. Upload the required keys. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Select an existing Named ACL or configure a new set of ACEs to limit client DDNS. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
By default, all system events are logged to the local SYSLOG and stored on the Infoblox appliance. To ensure log data is preserved in the event of system failure, an external log server must be configured. Verify that external logging is operational and messages from the Audit log are also forwarded to the remote log system. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Validate that "Log to External Syslog Servers" is enabled and an External Syslog Server must be configured. 4. Validate "Copy Audit Log Message to Syslog" is enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. If both "Log to External Syslog Servers" and "Copy Audit Log Message to Syslog" are not enabled, this is a finding.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Enable "Log to External Syslog Server" and configure at least one External Syslog Server. 4. Enable the option "Copy Audit Log Message to Syslog". 5. Click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.
Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Primary consideration for this check should be given to client restrictions such as disabling open recursive servers, using Access Control Lists (ACLs) to limit client communication, and placement in secure network architecture to prevent address spoofing. 1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. For external authoritative name servers: a. Select the "Queries" tab. b. Verify the "Allow Recursion" check box is not enabled. 3. For internal name servers: a. On the "Updates" tab, verify that an ACL or Access Control Entry (ACE) for "Allow updates from" is enabled. b. On the "Queries" tab, verify that either an ACL or ACE for "Allow queries from" is enabled. 4. When complete, click "Cancel" to save the changes and exit the "Properties" screen. If there is an open recursive DNS service on external name servers, or unrestricted access to internal name servers, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Select the "Queries" tab. 3. For external authoritative name servers, disable "Allow Recursion" by clearing the check box. 4. For internal name servers, on the "Updates" tab, configure either an ACL or ACE for "Allow updates from". 5. On the "Queries" tab, configure either an ACL or ACE for "Allow queries from". 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.
Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Use of rate limiting can reduce risk from cache poisoning attacks and DoS attacks. 1. Log on to the Infoblox system CLI and issue the following commands: "show ip_rate_limit" and "show dns_rrl" 2. Review the output from these commands with the network architecture. 3. If the system uses the Advanced DNS Protection (ADP) (Threat Protection) feature, IP rate limiting is implemented using the DNS security rule-set available in the web GUI. If the ADP feature set is implemented, use of the ip_rate_limit and dns_rrl CLI commands is not required, and this check is Not Applicable. Refer to the Infoblox Admin Guide for additional details if needed. If rate limiting is not configured on the Infoblox system or within the network security architecture protecting the Infoblox system, this is a finding.
Prior to implementation, review the Infoblox CLI Guide and verify all configuration options. 1. Log on to the Infoblox system using the CLI. 2. Use "set ip_rate_limit [OPTIONS}" to reduce risk of cache poisoning attacks by rate limiting udp/53 traffic. 3. Use "set dns_rrl [OPTIONS]" to enable DNS response rate limiting. 4. Upon completion, log out of the CLI. This helps reduce the risk of DoS attacks by reducing the rate at which authoritative name servers respond to queries, such as a flood.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Verify that DNSSEC is enabled by navigating to Data Management >> DNS >> Grid DNS properties tab. 2. Toggle Advanced Mode and review the "DNSSEC" tab to verify that DNSSEC is enabled. 3. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC validation is not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties tab. 2. Toggle Advanced Mode and select the "DNSSEC" tab. 3. Enable DNSSEC by selecting the check box. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Verify that DNSSEC is enabled by navigating to Data Management >> DNS >> Grid DNS properties tab. 2. Toggle Advanced Mode and review the "DNSSEC" tab to verify that DNSSEC is enabled. 3. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC validation is not enabled, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS properties tab. 2. Toggle Advanced Mode and select the "DNSSEC" tab. 3. Enable DNSSEC by selecting the check box. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Zones. 2. For all external-facing authoritative zones and review all external authoritative zones. Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the "Zones" tab. 3. Verify that external authoritative zones are DNSSEC signed. If DNSSEC is not used for authoritative DNS, this is a finding.
Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Zones. 2. Select the appropriate zone using the check box. Using the "DNSSEC" drop-down menu, select "Sign Zones". 3. Follow prompts to acknowledge zone signing. 4. Perform a service restart if necessary.
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Zones. 2. For all external-facing authoritative zones and review all external authoritative zones. Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the Zones tab. Verify that external authoritative zones are DNSSEC signed. If DNSSEC is not used for authoritative DNS this is a finding.
Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Zones. 2. Select the appropriate zone using the check box. Using the "DNSSEC" drop-down menu, select "Sign Zones". 3. Follow prompts to acknowledge zone signing. 4. Perform a service restart if necessary.
Infoblox systems are capable of providing notifications via remote SYSLOG, SNMP, and SMTP. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the Monitoring tab. 3. Verify that "Log to External Syslog Servers" is enabled and an External Syslog Server is configured. 4. When complete, click "Cancel" to exit the "Properties" screen. If no external notifications are enabled, this is a finding.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the Monitoring tab. 3. Enable "Log to External Syslog Servers" using the check box. 4. Configure an "External Syslog Server". 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Review the SYSLOG data on the remote SYSLOG server to validate operation.
Infoblox systems are capable of providing notifications via remote SYSLOG, SNMP, and SMTP. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Verify that "Log to External Syslog Servers" is enabled and an External Syslog Server is configured. 4. Click "Cancel" to exit the "Properties" screen. 5. Navigate to DNS >> DNS Management and select Grid or System DNS Properties if using a stand-alone configuration. 6. Toggle Advanced Mode and select the "Logging" tab. Validate that the "dnsssec" SYSLOG category is enabled. 7. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC is not configured to send external notifications to a valid external SYSLOG server, this is a finding.
1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Enable "Log to External Syslog Servers" using the check box. 4. Configure an "External Syslog Server". 5. Click "Save & Close" to save the changes and exit the "Properties" screen. 6. Navigate to DNS >> DNS Management and select Grid or System DNS Properties if using a stand-alone configuration. 7. Toggle Advanced Mode and select the "Logging" tab. 8. Enable the "dnsssec" SYSLOG category. 9. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 10. Perform a service restart if necessary.