Infoblox 8.x DNS Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2021-01-11
  • Released: 2021-01-09
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Infoblox systems that perform zone transfers to non-Grid DNS servers must limit the number of concurrent sessions for zone transfers.
AC-10 - Medium - CCI-000054 - V-233855 - SV-233855r621666_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
IDNS-8X-100001
Vuln IDs
  • V-233855
Rule IDs
  • SV-233855r621666_rule
Limiting the number of concurrent sessions reduces the risk of denial-of-service (DoS) to the DNS implementation. Infoblox DNS servers configured in a Grid do not use zone transfers. Data is replicated using an encrypted management connection. However, when a zone contains both Infoblox Grid DNS servers and non-Grid DNS servers, a DNS protocol-compliant zone transfer is performed. Name servers do not have direct user connections but accept client connections for queries. Original restriction on client connections should be high enough to prevent a self-imposed denial of service, after which the connections are monitored and fine-tuned to best meet the organization's specific requirements. Primary name servers also make outbound connection to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to be made only to designated secondary name servers. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in DoS to legitimate users. Primary name servers should be configured to limit the hosts from which they will accept dynamic updates. Additionally, the number of concurrent clients, especially TCP clients, needs to be kept to a level that does not risk placing the system in a DoS state.
Checks: C-37040r611085_chk

Verify inbound and outbound zone transfer limits are configured. These values control the amount of concurrent zone transfers to non-Grid DNS servers. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab. 4. Verify zone transfer limitations are configured. 5. When complete, click "Cancel" to exit the "Properties" screen. If zone transfer limits are not configured for non-Infoblox grid name servers, this is a finding.

Fix: F-37005r611086_fix

1. Navigate to Data Management >> DNS >> Members tab. 2. Click "Edit" to review each member with the DNS service status of "Running". 3. Toggle Advanced Mode and select General >> Advanced tab. 4. Configure both inbound and outbound zone transfer to appropriate values. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.

b
The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.
AC-10 - Medium - CCI-000054 - V-233856 - SV-233856r621666_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
IDNS-8X-100002
Vuln IDs
  • V-233856
Rule IDs
  • SV-233856r621666_rule
Limiting the number of concurrent sessions reduces the risk of denial-of-service (DoS) to the DNS implementation. Name servers do not have direct user connections but accept client connections for queries. Original restriction on client connections should be high enough to prevent a self-imposed denial of service, after which the connections are monitored and fine-tuned to best meet the organization's specific requirements. Primary name servers also make outbound connections to secondary name servers to provide zone transfers and accept inbound connection requests from clients wishing to provide a dynamic update. Primary name servers should explicitly limit zone transfers to be made only to designated secondary name servers. Because zone transfers involve the transfer of entire zones and use TCP connections, they place substantial demands on network resources relative to normal DNS queries. Errant or malicious frequent zone transfer requests on the name servers of the enterprise can overload the master zone server and result in DoS to legitimate users. Primary name servers should be configured to limit the hosts from which they will accept dynamic updates. Additionally, the number of concurrent clients, especially TCP clients, needs to be kept to a level that does not risk placing the system in a DoS state.
Checks: C-37041r611088_chk

Infoblox can be configured in two ways to limit DDNS client updates. 1. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members tab. a. Review each server with the DNS service enabled. b. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. c. Verify that "Enable GSS-TSIG authentication of clients" is enabled. 2. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members tab. a. Review each server with the DNS service enabled. Select each server and click "Edit". b. Select the "Updates" tab. Verify that either a Named ACL or Set of ACEs are defined to limit client DDNS. 3. When complete, click "Cancel" to exit the "Properties" screen. If "Enable GSS-TSIG authentication of clients" is disabled for clients supporting GSS-TSIG, or a Named ACL or Set of ACEs is not defined to limit DDNS for clients without GSS-TSIG support, this is a finding.

Fix: F-37006r611089_fix

Infoblox can be configured in two ways to limit DDNS client updates. Refer to the Administrator Guide for detailed instructions if necessary. 1. For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members tab. a. Review each server with the DNS service enabled. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. b. Configure the option "Enable GSS-TSIG authentication of clients". c. Upload the required keys. 2. For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members tab. a. Review each server with the DNS service enabled. b. Select each server and click "Edit". c. Select the "Updates" tab. Enable an existing Named ACL or configure a new set of ACEs to limit client DDNS. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.

b
The Infoblox DNS server must not reveal sensitive information to an attacker. This includes HINFO, RP, LOC resource, and sensitive TXT record data.
AC-4 - Medium - CCI-002201 - V-233857 - SV-233857r621666_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-002201
Version
IDNS-8X-200001
Vuln IDs
  • V-233857
Rule IDs
  • SV-233857r621666_rule
There are several types of resource records (RRs) in the DNS that are meant to convey information to humans and applications about the network, hosts, or services. These include the Responsible Person (RP) record, the Host Information (HINFO) record, the Location (LOC) record, and the catch-all text string resource record (TXT) [RFC1035]. Although these record types are meant to provide information to users in good faith, they also allow attackers to gain knowledge about network hosts before attempting to exploit them. For example, an attacker may query for HINFO records, looking for hosts that list an operating system or platform known to have exploits. Therefore, great care should be taken before including these record types in a zone. In fact, they are best left out altogether. More careful consideration should be taken with the TXT resource record type. A DNS administrator will have to decide if the data contained in a TXT RR constitutes an information leak or is a necessary piece of information. For example, several authenticated email technologies use TXT RRs to store email sender policy information, such as valid email senders for a domain. These judgments will have to be made on a case-by-case basis. A DNS administrator should take care when including HINFO, RP, TXT, LOC, or other RR types that could divulge information that would be useful to an attacker or the external view of a zone if using split DNS. RRs such as HINFO and TXT provide information about software name and versions (e.g., for resources such as web servers and mail servers) that will enable the well-equipped attacker to exploit the known vulnerabilities in those software versions and launch attacks against those resources.
Checks: C-37042r611091_chk

Review external DNS zone data and verify there are no HINFO, LOC, RP, or TXT RRs that disclose any information that may be used for malicious purposes. 1. Navigate to Data Management >> DNS >> Zones tab. 2. Click on the appropriate DNS Zone. 3. Review external zone data for HINFO, LOC, RP, and TXT RRs. If any HINFO, LOC, RP, or TXT RRs exist that disclose any information that may be used for malicious purposes, this is a finding.

Fix: F-37007r611092_fix

1. Navigate to Data Management >> DNS >> Zones. 2. Select and edit the zone identified during the Check. 3. Select the RR and click "Delete" to remove the record.

b
The Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
AU-9 - Medium - CCI-001348 - V-233858 - SV-233858r621666_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
IDNS-8X-300002
Vuln IDs
  • V-233858
Rule IDs
  • SV-233858r621666_rule
Protection of log data includes ensuring that log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a defined frequency helps to ensure that, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.
Checks: C-37043r611094_chk

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. If "Log to External Syslog Servers" is enabled, an External Syslog Server must be configured. 4. Verify that "Copy Audit Log Message to Syslog" is enabled. 5. Verify that log messages are received on the remote system. If no external SYSLOG server is available, verify local procedure to retain audit logs. Logs can be downloaded by navigating to Administration >> Logs >> Audit Log tab and pressing the "Download" button. When complete, click "Cancel" to exit the "Properties" screen. If an external SYSLOG server is not configured or a local policy is not in place to store audit logs, this is a finding.

Fix: F-37008r611095_fix

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. Enable "Log to External Syslog Servers" and configure an "External Syslog Server". 3. Enable the checkbox "Copy Audit Log Message to Syslog". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary. 6. Review Infoblox audit records on the remote SYSLOG server to validate operation.

b
All authoritative name servers for a zone must be geographically disbursed.
CM-6 - Medium - CCI-000366 - V-233859 - SV-233859r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400001
Vuln IDs
  • V-233859
Rule IDs
  • SV-233859r621666_rule
In addition to network-based dispersion, authoritative name servers should be dispersed geographically as well. In other words, in addition to being located on different network segments, the authoritative name servers should not all be located within the same building. One approach that some organizations follow is to locate some authoritative name servers in their own premises and others in their ISPs' data centers or in partnering organizations. A network administrator may choose to use a "hidden" master authoritative server and have only secondary servers visible on the network. A hidden master authoritative server is an authoritative DNS server in which the IP address does not appear in the name server set for a zone. If the master authoritative name server is "hidden", a secondary authoritative name server may reside in the same building as the hidden master.
Checks: C-37044r611097_chk

1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. Review the name server (NS) records for each zone hosted and confirm that each authoritative name server is located at a different physical location than the remaining name servers. 4. Infoblox supports designation as a "stealth" name server, which will not have an NS record. If all name servers for which NS records are published within a zone are not physically at different locations, this is a finding.

Fix: F-37009r611098_fix

Configure the authoritative name servers to be geographically disbursed.

b
Recursion must be disabled on Infoblox DNS servers that are configured as authoritative name servers.
CM-6 - Medium - CCI-000366 - V-233860 - SV-233860r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400002
Vuln IDs
  • V-233860
Rule IDs
  • SV-233860r621666_rule
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to non-existent hosts (which constitutes a denial of service), or, worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation. The use of DNSSEC ensures that the answer received when querying for name resolution actually comes from a trusted name server. Since DNSSEC is still far from being globally deployed external to DoD, and many resolvers either have not been updated or do not support DNSSEC, maintaining cached zone data separate from authoritative zone data mitigates the gap until all DNS data is validated with DNSSEC. Since DNS forwarding of queries can be accomplished in some DNS applications without caching locally, DNS forwarding is the method to be used when providing external DNS resolution to internal clients.
Checks: C-37045r611100_chk

1. Navigate to Data Management >> DNS >> Members tab. 2. Select each grid member configured in an authoritative role and click "Edit". 3. Review the "Queries" tab. 4. Verify that "Allow Recursion" is not enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. If recursion is not disabled on an authoritative name server, this is a finding.

Fix: F-37010r611101_fix

1. Navigate to Data Management >> DNS >> Members tab. 2. Select the "Queries" tab and disable recursion by clearing the "Enable Recursion" check box. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.

b
The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
CM-6 - Medium - CCI-000366 - V-233861 - SV-233861r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400003
Vuln IDs
  • V-233861
Rule IDs
  • SV-233861r621666_rule
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a Zone Signing Key (ZSK) can use that key only during the Key Signing Key's (KSK's) signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the Delegation Signer (DS) RR in the delegating parent. These validity periods should be short, which will require frequent re-signing. To minimize the impact of a compromised ZSK, a zone administrator should set a signature validity period of one week for RRSIGs covering the DNSKEY RRSet in the zone (the RRSet that contains the ZSK and KSK for the zone). The DNSKEY RRSet can be re-signed without performing a ZSK rollover, but scheduled ZSK rollover should still be performed at regular intervals.
Checks: C-37046r611103_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on the "DNSSEC" tab, and review the "Signature Validity" setting. 3. Validate that the Signature Validity is configured for a range of no less than two days and no more than one week. 4. When complete, click "Cancel" to exit the "Properties" screen. If the "Signature Validity" period is less than two days or greater than one week, this is a finding.

Fix: F-37011r611104_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on the "DNSSEC" tab, and edit the "Signature Validity" setting to a period between two days and one week. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Any zones that used an incorrect value should perform a ZSK rollover to update the inception and expiration dates with the new value. 5. Navigate to Data Management >> DNS and select the "Zones" tab. 6. Using the zone selection check boxes and the DNSSEC drop-down menu, select "Rollover Zone-Signing Key". 7. When prompted, select "Roll Over". 8. Perform a service restart if necessary.

b
NSEC3 must be used for all DNSSEC signed zones.
CM-6 - Medium - CCI-000366 - V-233862 - SV-233862r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400004
Vuln IDs
  • V-233862
Rule IDs
  • SV-233862r621666_rule
To ensure that resource records (RRs) associated with a query are really missing in a zone file and have not been removed in transit, the DNSSEC mechanism provides a means for authenticating the nonexistence of an RR. It generates a special RR called an NSEC (or NSEC3) RR that lists the RRTypes associated with an owner name as well as the next name in the zone file. It sends this special RR, along with its signatures, to the resolving name server. By verifying the signature, a DNSSEC-aware resolving name server can determine which authoritative owner name exists in a zone and which authoritative RRTypes exist at those owner names. The Internet Engineering Task Force's (IETF's) design criteria consider DNS data to be public. Confidentiality is not one of the security goals of DNSSEC. DNSSEC is not designed to directly protect against denial-of-service threats but does so indirectly by providing message integrity and source authentication. An artifact of how DNSSEC performs negative responses allows a client to map all the names in a zone (zone walking). A zone that contains zone data the administrator does not want to be made public should use the NSEC3 RR option for providing authenticated denial of existence. If DNSSEC is enabled for a server, the ability to verify a particular server that may attempt to update the DNS server actually exists. This is done through the use of NSEC3 records to provide an "authenticated denial of existence" for specific systems whose addresses indicate that they lie within a particular zone.
Checks: C-37047r611106_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Review the zone configuration and confirm that, if DNSSEC is enabled NSEC3 is used. 2. Navigate to Data Management >> DNS >> Grid DNS Properties. Toggle Advanced Mode and review the "DNSSEC" tab. 3. Ensure "Resource Record Type for Nonexistent Proof" is set to NSEC3. 4. When complete, click "Cancel" to exit the "Properties" screen. 5. Review zone data or use Global Search string ".". Type "Equals NSEC Record" to verify no undesired NSEC records exist. If NSEC records exist in an active zone, or NSEC3 is not configured, this is a finding.

Fix: F-37012r611107_fix

1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Toggle Advanced Mode and edit the "DNSSEC" tab. 3. Ensure "Resource Record Type for Nonexistent Proof" is set to NSEC3. 4. Re-sign all DNSSEC zones that previously used NSEC.

b
The Infoblox DNS server must be configured so that each name server (NS) record in a zone file points to an active name server authoritative for the domain specified in that record.
CM-6 - Medium - CCI-000366 - V-233863 - SV-233863r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400005
Vuln IDs
  • V-233863
Rule IDs
  • SV-233863r621666_rule
Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to provide the missing authoritative name services that are improperly specified in the zone file. The adversary could issue bogus responses to queries that clients would accept because they learned of the adversary's name server from a valid authoritative name server, one that need not be compromised for this attack to be successful. The list of slave servers must remain current within 72 hours of any changes to the zone architecture that would affect the list of slaves. If a slave server has been retired or is not operational but remains on the list, an adversary might have a greater opportunity to impersonate that slave without detection, rather than if the slave were actually online. For example, the adversary may be able to spoof the retired slave's IP address without an IP address conflict, which would not be likely to occur if the true slave were active.
Checks: C-37048r611109_chk

Verify that NS resource records in all active zones point to an operational name server. 1. Navigate to Data Management >> DNS >> Zones 2. Select the zone to review. 3. Select the "Name Servers" tab. 4. If the option "Use this Name Server Group" is active, note the group name used. Click "Cancel" and select the "Name Server Groups" tab to review the name server group. 5. Examine each NS record and name server configuration. 6. Verify that the IP address for each NS record points to an operational name server. 7. Click "Cancel" to exit the "Properties" screen. If a name server resource record points to an IP that is not an operational name server, this is a finding.

Fix: F-37013r611110_fix

1. Navigate to Data Management >> DNS >> Zones. 2. Select and edit the zones containing incorrect NS record configurations. 3. Select the "Name Servers" tab. 4. If the option "Use this Name Server Group" is active, note the group name used. Click "Cancel" and select the "Name Server Groups" tab to edit the name server group. 5. Remove or update any incorrect NS records or name server configuration. 6. If the option "Use this set of name servers" is active, remove or update any incorrect NS records or name server configuration. 7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 8. Perform a service restart if necessary.

b
All authoritative name servers for a zone must be located on different network segments.
CM-6 - Medium - CCI-000366 - V-233864 - SV-233864r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400006
Vuln IDs
  • V-233864
Rule IDs
  • SV-233864r621666_rule
Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential that these authoritative name servers for an enterprise be located on different network segments. This dispersion ensures the availability of an authoritative name server not only in situations in which a particular router or switch fails but also during events involving an attack on an entire network segment. A network administrator may choose to use a "hidden" master authoritative server and only have secondary servers visible on the network. A hidden master authoritative server is an authoritative DNS server in which the IP address does not appear in the name server set for a zone. If the master authoritative name server is "hidden", a secondary authoritative name server may reside on the same network as the hidden master.
Checks: C-37049r611112_chk

Review the DNS configuration to determine all of the name server (NS) records for each zone. Based on the NS records for each zone and network architecture, determine the location of each of the name servers. 1. Navigate to Data Management >> DNS >> Zones. 2. Select the zone to review. 3. Select the "Name Servers" tab. If all authoritative name servers are not located on different network segments, this is a finding.

Fix: F-37014r611113_fix

1. Navigate to Data Management >> DNS >> Zones. 2. Review zone settings by selecting each zone and reviewing the "Name Servers" tab to ensure all name servers are located on different network segments.

b
All authoritative name servers for a zone must have the same version of zone information.
CM-6 - Medium - CCI-000366 - V-233865 - SV-233865r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400007
Vuln IDs
  • V-233865
Rule IDs
  • SV-233865r621666_rule
The only protection approach for content control of DNS zone file is the use of a zone file integrity checker. The effectiveness of integrity checking using a zone file integrity checker depends on the database of constraints built into the checker. The deployment process consists of developing these constraints with the right logic, and the only determinant of the truth value of these logical predicates is the parameter values for certain key fields in the format of various RRTypes. The serial number in the SOA RDATA is used to indicate to secondary name servers that a change to the zone has occurred and a zone transfer should be performed. It should always be increased whenever a change is made to the zone data. DNS NOTIFY must be enabled on the master authoritative name server.
Checks: C-37050r611115_chk

Review DNS zone data to validate the SOA on all authoritative DNS servers. Remote name servers that do not have the same serial number as the primary name server may have network issues or misconfiguration blocking updates. Use either the "nslookup" or "dig" utility to review the serial number returned from each name server. Example: Using the "dig" utility, enter the command line as follows: "dig @NAMESERVER-IP ZONE SOA". $ dig @192.168.0.1 blue.org SOA ;; ANSWER SECTION: blue.org. 28800 IN SOA ns.blue.org. postmaster.blue.org. 20200922 10800 3600 2419200 900 The SOA RR specifies the serial number as the third RDATA field; in this example, it is 20200922. If any serial numbers for the same zone do not match, this is a finding.

Fix: F-37015r611116_fix

Serial numbers are updated automatically when changes are made to a zone through the Infoblox Grid, as well as through the notify process for external DNS servers. If a serial number mismatch is discovered, troubleshooting of both server configurations and network will be required. Protocol configuration issues will be logged in the Infoblox Grid Members SYSLOG. 1. Navigate to Administration >> Logs >> Syslog. 2. Infoblox Grid Members can be selected using the drop-down menu. 3. Stand-alone systems will not display a drop-down menu; the log data will be displayed automatically. 4. Review the SYSLOG data and resolve the issue that is preventing updates.

b
An authoritative name server must be configured to enable DNSSEC resource records.
CM-6 - Medium - CCI-000366 - V-233866 - SV-233866r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400008
Vuln IDs
  • V-233866
Rule IDs
  • SV-233866r621666_rule
The specification for a digital signature mechanism in the context of the DNS infrastructure is in the Internet Engineering Task Force's (IETF's) DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. DNSSEC mechanisms involve two main processes: sign and serve, and verify signature. Before a DNSSEC-signed zone can be deployed, a name server must be configured to enable DNSSEC processing.
Checks: C-37051r611118_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Validate that DNSSEC is enabled using the check box. 4. When complete, click "Cancel" to exit the "Properties" screen. If "Enable DNSSEC" is not configured, this is a finding.

Fix: F-37016r611119_fix

DNSSEC must be enabled prior to zone signing. 1. Enable by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable the "Enable DNSSEC" option. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

c
The digital signature algorithm used for DNSSEC-enabled zones must be FIPS compatible.
CM-6 - High - CCI-000366 - V-233867 - SV-233867r621666_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
IDNS-8X-400009
Vuln IDs
  • V-233867
Rule IDs
  • SV-233867r621666_rule
The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS 186) provides three algorithm choices: - Digital Signature Algorithm (DSA) - RSA - Elliptic Curve DSA (ECDSA). Of these three algorithms, RSA and DSA are more widely available and hence are considered candidates of choice for DNSSEC. In terms of performance, both RSA and DSA have comparable signature generation speeds, but DSA is much slower for signature verification. Hence, RSA is the recommended algorithm as far as this guideline is concerned. RSA with SHA-1 is currently the only cryptographic algorithm mandated to be implemented with DNSSEC, although other algorithm suites (i.e., RSA/SHA-256, ECDSA) are also specified. It can be expected that name servers and clients will be able to use the RSA algorithm at a minimum. It is suggested that at least one Zone Signing Key (ZSK) for a zone use the RSA algorithm. NIST's Secure Hash Standard (SHS) (FIPS 180-3) specifies SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 as approved hash algorithms to be used as part of the algorithm suite for generating digital signatures using the digital signature algorithms in NIST's DSS (FIPS 186). Support is expected for Elliptic Curve Cryptography in the DNSSEC. The migration path for USG DNSSEC operation will be to ECDSA (or similar) from RSA/SHA-1 and RSA/SHA-256 before 30 September 2015.
Checks: C-37052r611121_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. For Infoblox Grids that run in FIPS mode, this requirement is Not Applicable. 1. Review FIPS requirements to ensure the proper algorithms are used. 2. Navigate to Data Management >> DNS >> Grid DNS properties. 3. Toggle Advanced Mode and click on the "DNSSEC" tab. 4. Validate that all Key Signing Keys (KSKs) and ZSKs use FIPS-approved algorithms. 5. When complete, click "Cancel" to exit the "Properties" screen. If FIPS-approved algorithms are not used for the KSKs and ZSKs, this is a finding. If DSA is used, this is a finding.

Fix: F-37017r611122_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Follow manual key rollover procedures and update all non-compliant KSKs and ZSKs to use FIPS-approved algorithms.

b
For zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.
CM-6 - Medium - CCI-000366 - V-233868 - SV-233868r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400010
Vuln IDs
  • V-233868
Rule IDs
  • SV-233868r621666_rule
Authoritative name servers for an enterprise may be configured to receive requests from both external and internal clients. External clients need to receive RRs that pertain only to public services (public web server, mail server, etc.) Internal clients need to receive RRs pertaining to public services as well as internal hosts. Organizations using dedicated internal systems and separate dedicated external systems are inherently more secure than using a single system accessed by both internal and external clients. DNS Views allow a single name server to provide different response data based on a client match list or Access Control List.
Checks: C-37053r611124_chk

DNS Views allow a single zone to have two different data sets, with the response based on a client match list. 1. When DNS Views are used, the top-level configuration of DNS >> Data Management >> Zones tab will display available views. 2. Select the desired view using the check box and click "Edit". 3. Review the "Match Clients" configuration. 4. Verify the "Match Clients" configuration properly separates the internal and external DNS views. If DNS Views are used and the client match list is validated, this is not a finding.

Fix: F-37018r611125_fix

1. Navigate to Data Management >> DNS >> Zones and review each zone. 2. Remove any RRs listed in the internal name server configuration (DNS view) that resolve for external hosts. 3. Remove any RRs listed in the external name server configuration (DNS view) that resolve to internal hosts. 4. For hosts intended to be accessed by both internal and external clients, configure unique IP addresses in each of the internal and external name servers, respective to their location. 5. The perimeter firewall, or other routing device, must be configured to perform Network Address Translation to the true IP address of the destination.

b
In a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.
CM-6 - Medium - CCI-000366 - V-233869 - SV-233869r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400011
Vuln IDs
  • V-233869
Rule IDs
  • SV-233869r621666_rule
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve resource records (RRs) pertaining to hosts with public services (web servers that serve external web pages or provide B2C services, mail servers, etc.) The other set, called internal name servers, is to be located within the firewall and should be configured so it is not reachable from outside and hence provides naming services exclusively to internal clients.
Checks: C-37054r611127_chk

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to verify that external name servers are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

Fix: F-37019r611128_fix

1. Navigate to Data Management >> DNS >> Members tab. 2. Select the Grid member identified as running the DNS service and click "Edit". 3. Enable and configure either an Access Control List (ACL) or set of Access Control Entries (ACE). 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
In a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.
CM-6 - Medium - CCI-000366 - V-233870 - SV-233870r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400012
Vuln IDs
  • V-233870
Rule IDs
  • SV-233870r621666_rule
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be the only name servers accessible to external clients and would serve resource records (RRs) pertaining to hosts with public services (web servers that serve external web pages or provide B2C services, mail servers, etc.) The other set, called internal name servers, is to be located within the firewall and should be configured so it is not reachable from outside and hence provides naming services exclusively to internal clients.
Checks: C-37055r611130_chk

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to verify that external name servers are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

Fix: F-37020r611131_fix

1. Navigate to Data Management >> DNS >> Members tab. 2. Select the Grid member identified as running the DNS service and click "Edit". 3. Enable and configure either an Access Control List (ACL) or Set of Access Control Entries (ACE). 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
CM-6 - Medium - CCI-000366 - V-233871 - SV-233871r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400013
Vuln IDs
  • V-233871
Rule IDs
  • SV-233871r621666_rule
Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control sub-statement designating the list of hosts from which zone transfer requests can be accepted. These restrictions address the denial-of-service threat and potential exploits from unrestricted dissemination of information about internal resources. Based on the need-to-know, the only name servers that need to refresh their zone files periodically are the secondary name servers. Zone transfer from primary name servers should be restricted to secondary name servers. The zone transfer should be completely disabled in the secondary name servers. The address match list argument for the allow-transfer sub-statement should consist of IP addresses of secondary name servers and stealth secondary name servers.
Checks: C-37056r611133_chk

Infoblox Grid members do not use DNS zone transfers to exchange DNS data within a single Grid. Communication between Grid members is via a distributed database over a secure Virtual Private Network (VPN). 1. Navigate to the Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. Note all external DNS servers, those NOT identified as Type "Grid" (Primary or Secondary). 4. Click the "Zone Transfers" tab. 5. Verify that only the external non-Grid DNS servers identified as name servers for the zone or authorized stealth servers are the only systems authorized to perform zone transfers as authorized by a "Named ACL" or "Set of ACEs". 6. When complete, click "Cancel" to exit the "Properties" screen. If Access Controls Lists (ACLs) are not configured for zone transfers to external non-Grid servers, this is a finding.

Fix: F-37021r611134_fix

1. Navigate to the Data Management >> DNS >> Zones tab. 2. Select the zone and click "Edit". Select the "Zone Transfers" tab and configure access control (ACL or Access Control Entries [ACE]) on each grid member that communicates with an external secondary. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.

b
The Infoblox system must use a security policy that limits the propagation of access rights.
CM-6 - Medium - CCI-000366 - V-233872 - SV-233872r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400014
Vuln IDs
  • V-233872
Rule IDs
  • SV-233872r621666_rule
Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. In a DNS implementation, DAC should be granted to a minimal number of individuals and objects because DNS does not interact directly with users and users do not store and share data with the DNS application directly. The primary objective of DNS authentication and access control is the integrity of DNS records; only authorized personnel must be able to create and modify resource records, and name servers should only accept updates from authoritative master servers for the relevant zones. Integrity is best assured through authentication and access control features within the name server software and the file system the name server resides on. To protect the zone files and configuration data, which should only be accessed by the name service or an administrator, access controls need to be implemented on files, and rights should not be easily propagated to other users. Lack of a stringent access control policy places the DNS infrastructure at risk to malicious persons and attackers, in addition to potential denial of service to network resources. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. DAC models have the potential for the access controls to propagate without limit, resulting in unauthorized access to objects. When applications provide a DAC mechanism, the DNS implementation must be able to limit the propagation of those access rights.
Checks: C-37057r611136_chk

Infoblox NIOS uses a robust permission structure that provides for granular configuration of user access to the administrative interface. Review the Infoblox Overview document for more information on access control and inheritance, and the Administrator Guide for comprehensive information. 1. Navigate to Administration >> Administrators. Review the "Authentication Policy" tab, which will display the authentication methods and order. 2. Review the "Admins", "Groups", "Roles", and "Permissions" tabs to display the specific accounts, roles, and permissions. 3. Verify the local assignment policy against the configured accounts. If an access policy limiting propagation of access rights is not configured, or the Infoblox system is not configured in accordance with local access policy, this is a finding.

Fix: F-37022r611137_fix

1. Review the Infoblox Administrator Guide for comprehensive instructions if necessary. 2. Navigate to Administration >> Administrators tab. 3. Edit the "Admins", "Groups", "Roles", "Permissions", and "Authentication Policy" tabs and set to the desired permissions.

b
The DNS implementation must implement internal/external role separation.
CM-6 - Medium - CCI-000366 - V-233873 - SV-233873r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400015
Vuln IDs
  • V-233873
Rule IDs
  • SV-233873r621666_rule
DNS servers with an internal role only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks, including the Internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization using address ranges, explicit access control lists, etc. To protect internal DNS resource information, it is important to isolate the requests to internal DNS servers. Separating internal and external roles in DNS prevents address space that is private (e.g., 10.0.0.0/24) or is otherwise concealed by some form of Network Address Translation from leaking into the public DNS system.
Checks: C-37058r611139_chk

Review the Infoblox Grid configuration and network architecture to verify that the appropriate zones are served by the correct internal or external member(s). 1. Navigate to Data Management >> DNS >> Zones tab. Review the usage of DNS Views as necessary. 2. If DNS Views are used, review each DNS View Client Match list using the "Edit" function. 3. Select the "Members" tab. 4. Review each zone and member assignment to ensure it is configured correctly with respect to its network assignment. 5. When complete, click "Cancel" to exit the "Properties" screen. If an external server contains internal data, or vice versa, this is a finding.

Fix: F-37023r611140_fix

1. Navigate to Data Management >> DNS >> Zones and Members. 2. Modify the zone name server assignment as necessary to ensure role separation. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.

b
The Infoblox DNS server must use current and valid root name servers.
CM-6 - Medium - CCI-000366 - V-233874 - SV-233874r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400016
Vuln IDs
  • V-233874
Rule IDs
  • SV-233874r621666_rule
All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. An adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients. When authoritative servers are sent queries for zones for which they are not authoritative, and they are configured as a non-caching server (as recommended), they can either be configured to return a referral to the root servers or to refuse to answer the query. The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources serving its intended purpose: answering authoritatively for its zone.
Checks: C-37059r611142_chk

Review the Root Name Servers configured and validate that the entries are correct. "G" and "H" root servers are required on the NIPRNet as a minimum. Note: Validate against the current available DNS root list at the time of check. 1. Validate the current root name server list using external tools at the time of the check. 2. Navigate to Data Management >> DNS >> Grid DNS Properties. 3. Toggle Advanced mode and review the "Root Name Servers" tab to ensure it is configured correctly. If valid root name servers are not configured, this is a finding.

Fix: F-37024r611143_fix

1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Toggle Advanced mode and select the "Root Name Servers" tab. 3. Use the radio button to select "Use custom root name servers" and configure the desired root name servers. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox NIOS version must be at the appropriate version.
CM-6 - Medium - CCI-000366 - V-233875 - SV-233875r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400017
Vuln IDs
  • V-233875
Rule IDs
  • SV-233875r621666_rule
Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to address those vulnerabilities. These vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. It makes good business sense to run the latest version of name server software because theoretically, it is the safest version. However, even if the software is the latest version, it is not safe to run it in default mode. The security administrator must always configure the software to run in the recommended secure mode of operation after becoming familiar with the new security settings for the latest version.
Checks: C-37060r611145_chk

Infoblox systems use a modified version of BIND DNS software, which adds features and addresses security issues outside of those provided by ISC. Infoblox systems are provided as a hardened appliance and do not allow user access or upgrading of any software components, including BIND. The Infoblox support portal and release notes are the authoritative sources to validate version and applicability of vulnerabilities. 1. Verify the NIOS version by reviewing the "Grid, Upgrade" tab to show that all members are at the current version. 2. Use the Infoblox support portal to obtain current version information. If the Infoblox NIOS version is not currently under support maintenance or is not at the current approved version level, this is a finding.

Fix: F-37025r611146_fix

Refer to the Infoblox NIOS Administrator Guide if necessary. 1. Log on to the Infoblox support portal and download the current version of NIOS. 2. Perform a Grid upgrade.

b
The IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.
CM-6 - Medium - CCI-000366 - V-233876 - SV-233876r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400018
Vuln IDs
  • V-233876
Rule IDs
  • SV-233876r621666_rule
A hidden master authoritative server is an authoritative DNS server in which the IP address does not appear in the name server set for a zone. All of the name servers that do appear in the zone database as designated name servers get their zone data from the hidden master via a zone transfer request. In effect, all visible name servers are actually secondary slave servers. This prevents potential attackers from targeting the master name server because its IP address may not appear in the zone database.
Checks: C-37061r611148_chk

Verify that the Infoblox Grid Master is not configured to service DNS requests from clients. 1. Navigate to Data Management >> DNS >> Zones. 2. Review each zone by selecting the zone, clicking "Edit", and selecting the "Name Servers" tab. If the Grid Master is a listed name server and not marked "Stealth", this is a finding.

Fix: F-37026r611149_fix

For each zone that is not in compliance: 1. Navigate to Data Management >> DNS >> Zones. 2. Reconfigure the "Name Servers" tab and modify the Grid Master by selecting "Stealth". 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.

b
The Infoblox system must be configured to respond to DNS traffic only.
CM-6 - Medium - CCI-000366 - V-233877 - SV-233877r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400019
Vuln IDs
  • V-233877
Rule IDs
  • SV-233877r621666_rule
OS configuration practices as issued by the US Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD), based on identified vulnerabilities that pertain to the application profile into which the name server software fits, should always be followed. In particular, hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts should be 53/udp and 53/tcp. Outgoing DNS messages should be sent from a random port to minimize the risk of an attacker's guessing the outgoing message port and sending forged replies.
Checks: C-37062r611151_chk

By default, all services other than those required for management are disabled on Infoblox appliances. Review the Infoblox Grid for extra services turned on. Note: Configuration of out-of-band (OOB) management can be enabled to separate DNS from management traffic if desired. 1. Navigate to Grid >> Grid Manager >> Services tab. 2. Click on each service that is running and review the Service Status of each member. Note: Depending on purchased options, Infoblox DNS members may be running DNS, and optionally services supporting DNS and security operations such as DNS Traffic Control, Threat Protection, Threat Analytics, and TAXII services. Use of these additional Infoblox services is not a finding. If an external authoritative server is running any unnecessary services such as file distribution services, this is a finding.

Fix: F-37027r611152_fix

1. Navigate to Grid >> Grid Manager >> Services tab. 2. Click on each service that is running and review the Service Status of each member. 3. Click on the member and select "Stop" to disable the unnecessary service.

b
The Infoblox DNS server must send outgoing DNS messages from a random port.
CM-6 - Medium - CCI-000366 - V-233878 - SV-233878r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400020
Vuln IDs
  • V-233878
Rule IDs
  • SV-233878r621666_rule
OS configuration practices as issued by the US Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD), based on identified vulnerabilities that pertain to the application profile into which the name server software fits, should be always followed. In particular, hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts should be 53/udp and 53/tcp. Outgoing DNS messages should be sent from a random port to minimize the risk of an attacker guessing the outgoing message port and sending forged replies.
Checks: C-37063r611154_chk

Verify the default Infoblox configuration to use random ports is not overridden at either the global or member level. Global-Level check: 1. Navigate to Data Management >> DNS Edit Grid DNS Properties, or System DNS Properties on a stand-alone system. 2. Toggle Advanced Mode and select the General >> Advanced tab. 3. Verify that the options under "Source Port Settings", "Set static source UDP port for queries (not recommended)", and "Set static source UDP port for notify messages" use the default value of "not enabled". 4. When complete, click "Cancel" to exit the "Properties" screen. Member-Level check: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab. 4. Verify that the options under "Source Port Settings", "Set static source UDP port for queries (not recommended)", and "Set static source UDP port for notify messages" use the default value of "not enabled". 5. When complete, click "Cancel" to exit the "Properties" screen. If configuration of either of these values exists, this is a finding.

Fix: F-37028r611155_fix

1. Navigate to Data Management >> DNS >> Grid DNS Properties, or System DNS properties on a stand-alone system. 2. Toggle Advanced Mode and select General >> Advanced tab. Disable "Set static source UDP port for queries (not recommended)" and "Set static source UDP port for notify messages". 3. Navigate to Data Management >> DNS >> Members tab. 4. Review each Infoblox member with the DNS service enabled. 5. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab. 6. Locate the section labeled "Source port settings" and click "Override" to use the Grid default values that disable static source ports. 7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 8. Perform a service restart if necessary.

c
The private keys corresponding to both the Zone Signing Key (ZSK) and the Key Signing Key (KSK) must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.
CM-6 - High - CCI-000366 - V-233879 - SV-233879r621666_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
IDNS-8X-400021
Vuln IDs
  • V-233879
Rule IDs
  • SV-233879r621666_rule
The private keys in the KSK and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. This strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) must have both the zone file master copy and the private key corresponding to the zone-signing key (ZSK-private) online to immediately update the signatures for the updated RRSets. The private key corresponding to the key-signing key (KSK-private) can still be kept offline.
Checks: C-37064r611157_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. By default, KSK and ZSK private keys are stored on the Grid Master within the Infoblox database. No clients should be permitted to use the Grid Master DNS service. 1. Navigate to Data Management >> DNS >> Zones. 2. Review each zone by selecting the zone and clicking "Edit" and selecting the "Name Servers" tab. If the Grid Master is a listed name server and not marked "Stealth", this is a finding. If a Hardware Security Module (HSM) is configured, KSK and ZSK private keys are encrypted and stored on the HSM, this is not a finding.

Fix: F-37029r611158_fix

For each zone that is not in compliance: 1. Navigate to Data Management >> DNS >> Zones. 2. Select and edit the zone. 3. Select the "Name Servers" tab and modify the Grid Master by selecting "Stealth". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
CNAME records must not point to a zone with lesser security for more than six months.
CM-6 - Medium - CCI-000366 - V-233880 - SV-233880r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400022
Vuln IDs
  • V-233880
Rule IDs
  • SV-233880r621666_rule
The use of CNAME records for exercises, tests, or zone-spanning aliases should be temporary (e.g., to facilitate a migration). When a host name is an alias for a record in another zone, an adversary has two points of attack: the zone in which the alias is defined and the zone authoritative for the alias's canonical name. This configuration also reduces the speed of client resolution because it requires a second lookup after obtaining the canonical name. Furthermore, in the case of an authoritative name server, this information is promulgated throughout the enterprise to caching servers and thus compounds the vulnerability.
Checks: C-37065r611160_chk

Infoblox DNS records the creation date of every resource record, including CNAME records in the system, and the TimeStamp is attached to the CNAME object. Infoblox can also record the date of the last time this record was used or queried. CNAME records can be removed by the administrator when they reach their six-month maturity date. 1. Navigate to Grid Manager >> Administration >> Logs >> Audit Log. Click "Show Filter" if it is not already displayed. 2. Create a new search using "Object Type equals CNAME Record". 3. Click the plus symbol to add a second search parameter. 4. Create an additional search parameter, "Timestamp before YYYY-MM-DD", using the calendar selection box to choose the appropriate date six months prior to the current date. 5. Click "Apply" to display CNAME records created more than six months ago. If there are zone-spanning CNAME records older than six months and the CNAME records resolve to anything other than fully qualified domain names for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with an AO-approved and documented mission need, this is a finding.

Fix: F-37030r611161_fix

1. Navigate to Data Management >> DNS >> Zones. 2. Edit the zone containing CNAME records discovered during review of the Audit Log. 3. Remove any zone-spanning CNAME records that have been active for more than six months.

b
The Infoblox system must use the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
CM-6 - Medium - CCI-000366 - V-233881 - SV-233881r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400023
Vuln IDs
  • V-233881
Rule IDs
  • SV-233881r621666_rule
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements. Configuring the DNS server implementation to follow organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Checks: C-37066r611163_chk

Infoblox systems are secure by design and use a number of access controls to prevent unauthorized usage. Infoblox systems are purpose built and do not provide privileged "root" level access, nor are they distributed as general purpose operating systems. By default all services including DNS are disabled on Infoblox systems. Services are enabled only as a result of administrator action. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab. 3. Review the enabled services. If any unnecessary services are running on Infoblox systems, this is a finding.

Fix: F-37031r611164_fix

Review network architecture and system configuration to ensure use of a defense-in-depth architecture that uses secure out-of-band management. Review system configuration to ensure that all administrators are properly authorized for the functions allowed through system rights. 1. Validate that both SRG and STIG DNS guidance is properly applied. 2. Navigate to Grid >> Grid Manager >> Services tab. 3. Click on each service that is running and review the "Service Status" of each member. 4. Click on the member and select "Stop" to disable the unnecessary service.

c
A secure out-of-band (OOB) network must be used for management of Infoblox Grid Members.
CM-6 - High - CCI-000366 - V-233882 - SV-233882r621666_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
IDNS-8X-400024
Vuln IDs
  • V-233882
Rule IDs
  • SV-233882r621666_rule
The Infoblox Grid Master is the central point of management within an Infoblox Grid. The Grid Master retains a full copy of the configuration used for the entire Grid. The Grid Master must communicate to Grid Members using their Management port connected to an OOB network that clients cannot access.
Checks: C-37067r611166_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Grid >> Grid Manager >> Members tab. 2. Review the Grid Master network configuration and verify placement on an OOB network. 3. Review services enabled on the Grid Master and verify that no client services are enabled. 4. The only acceptable service allowed is DNS when the Grid uses DNSSEC signed zones. The Grid Master must have DNS enabled to sign DNSSEC zones. If DNSSEC is enabled, verify that the Grid Master is marked as "Stealth" for any zone. If an Infoblox Grid Member does not use the MGMT port for configuration through an OOB connection, this is a finding.

Fix: F-37032r611167_fix

1. Navigate to Grid >> Grid Manager >> Members tab. 2. Edit each member and configure the MGMT port on the "Network" tab and enable VPN over MGMT on the "Advanced" portion of the "Network" tab. 3. Grid Masters and Grid Master candidates use the LAN1 port for communication and should not allow any direct client access.

c
Infoblox systems must enforce current DoD password restrictions.
CM-6 - High - CCI-000366 - V-233883 - SV-233883r621666_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
IDNS-8X-400025
Vuln IDs
  • V-233883
Rule IDs
  • SV-233883r621666_rule
The Infoblox systems must be configured to meet current DoD password policy when using the Infoblox Local User Database as the authentication source.
Checks: C-37068r611169_chk

1. Navigate to Administration >> Administrators >> Authentication Policy. 2. If the only authentication type under "Authenticate users in this order" is "Local User Database", perform the following additional validation: 3. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 4. Select the "Password" tab. 5. Verify the settings are configured in accordance with current DoD Policy. If the Infoblox system is configured to use a remote authentication system (Active Directory, RADIUS, TACACS+, or LDAP) that enforces password policy, or the password settings meet current guidance, this is not a finding.

Fix: F-37033r611170_fix

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Password" tab. 3. Configure the system with appropriate values for password length, complexity, and expiration requirements.

b
Infoblox Grid configuration must be backed up on a regular basis.
CM-6 - Medium - CCI-000366 - V-233884 - SV-233884r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400026
Vuln IDs
  • V-233884
Rule IDs
  • SV-233884r621666_rule
The Infoblox Grid Master is the central point of management within an Infoblox Grid. The Grid Master retains a full copy of the configuration used for the entire Grid. In the event of system failure, a configuration backup must be preserved. An Infoblox Grid member may also be configured as a Grid Master Candidate, which is synchronized to the Grid Master. The Grid Master Candidate can be promoted in the event of system failure on the Grid Master.
Checks: C-37069r611172_chk

1. Navigate to Grid >> Grid Manager >> Members tab. 2. In the toolbar, click the drop-down menu for "Backup", "Schedule Backup". 3. Verify configuration of a remote backup option (TFTP, FTP, or SCP). Review the existence of backup files on the remote system. If a remote backup system is not configured, or a local backup procedure is not documented, this is a finding. If no remote or local backup is configured, but the Grid contains a Grid Master candidate, the severity of the finding is reduced.

Fix: F-37034r611173_fix

1. Navigate to Grid >> Grid Manager >> Members tab. 2. In the toolbar, click the drop-down menu for "Backup", "Schedule Backup". Configure remote backup to TFTP, FTP, or SCP. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary. 5. Review the existence of backup files on the remote system.

b
The Infoblox system must display the approved DoD notice and consent banner.
CM-6 - Medium - CCI-000366 - V-233885 - SV-233885r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400027
Vuln IDs
  • V-233885
Rule IDs
  • SV-233885r621666_rule
Configuration of the DoD notice and consent banner requires all administrators to acknowledge the current DoD notice and consent by clicking an "Accept" button.
Checks: C-37070r611175_chk

Navigation to the HTTPS interface on the Grid Master using a web browser will display the current DoD banner. 1. If an administrator is currently logged in, click on the drop-down menu adjacent to the administrator's name in the upper right side and select "Logout". 2. Open a new session to the Infoblox system and review the banner presented. 3. The banner text of the document MUST read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the correct banner is not displayed, this is a finding.

Fix: F-37035r611176_fix

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties on a stand-alone system. 2. Toggle Advanced mode. Select "Security", "Advanced" tab. 3. Click "Enable Notice and Consent Banner". 4. Use the text box to enter the appropriate banner. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Administrators should log out and close the web browser. 7. It may be necessary to clear the web browser cache for the banner to display or update on a session opened shortly after reconfiguration.

b
The Infoblox system must display the appropriate security classification information.
CM-6 - Medium - CCI-000366 - V-233886 - SV-233886r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400028
Vuln IDs
  • V-233886
Rule IDs
  • SV-233886r621666_rule
Configuration of the informational banner displays the security classification of the Infoblox system using both color and text. Text may be added for additional security markings.
Checks: C-37071r611178_chk

1. Log on to the Infoblox Grid Master or stand-alone system. 2. The appropriate security classification color and text must be displayed on the top of each configuration screen. 3. The output will also contain the text "Dynamic Page - Highest Possible Classification Is" and a colored bar associated with the classification. 4. Additional text may appear if configured by the administrator. If the security classification color and text are not displayed at the top of each configuration screen, this is a finding.

Fix: F-37036r611179_fix

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Security", "Advanced" tab. Click "Enable Security Banner". 3. Use the drop-down menus to select the Security Level and Security Level Color appropriate for each level. 4. Additional text can be entered if required by DoD or local policy. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Administrators should log out and close the web browser. 7. It may be necessary to clear the web browser cache for the banner to display or update on a session opened shortly after reconfiguration.

b
The Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
CM-6 - Medium - CCI-000366 - V-233887 - SV-233887r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400029
Vuln IDs
  • V-233887
Rule IDs
  • SV-233887r621666_rule
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements. Configuring the DNS server implementation to follow organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Checks: C-37072r611181_chk

Infoblox systems are secure by design and use a number of access controls to prevent unauthorized usage. Infoblox systems are purpose built and do not provide privileged "root" level access, nor are they distributed as general purpose operating systems. By default, all services including DNS are disabled on Infoblox systems. Services are enabled only as a result of administrator action. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab. 3. Review the enabled services. If any unnecessary services are running on Infoblox systems, this is a finding.

Fix: F-37037r611182_fix

Review network architecture and system configuration to ensure use of a defense-in-depth architecture that uses secure out-of-band management. Review system configuration to ensure all administrators are properly authorized for the functions allowed through system rights. Validate that both SRG and STIG DNS guidance is properly applied. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab. 3. Click on each service that is running and review the "Service Status" of each member. 4. Click on the member and select "Stop" to disable the unnecessary service.

b
The Infoblox system must present only approved TLS and SSL cipher suites.
CM-6 - Medium - CCI-000366 - V-233888 - SV-233888r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400030
Vuln IDs
  • V-233888
Rule IDs
  • SV-233888r621666_rule
Infoblox systems ship with a wide range of cipher suites to support management in a variety of customer environments. Infoblox may have customers that require these cipher suites for backward compatibility. Over time specific cipher suites may become unfavorable for a variety of reasons, including being replaced by stronger suites, or vulnerabilities are discovered and they are no longer considered secure. Configuration of cipher suites within NIOS directly affects the default HTTPS management system. Note that Infoblox systems do not enable Secure Shell (SSH) by default, but it can be enabled by system administrators and shares configuration of the cipher suites with HTTPS.
Checks: C-37073r611184_chk

Configuration of the SSL/TLS cipher suite is performed on the Grid Master, or the stand-alone system using the CLI. 1. Use the following commands to display the status and configuration: show ssl_tls_settings show ssl_tls_protocols show ssl_tls_ciphers 2. Review the output from "show ssl_tls_ciphers" and note those marked as "enabled". 3. Compare this to the list of currently approved ciphers. DISA recommends: Ciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA256 Protocols: TLSv1.2 If any unapproved cipher suites are enabled, this is a finding.

Fix: F-37038r611185_fix

1. Close all existing HTTPS management sessions and log on to the Grid Master, or the stand-alone system using the CLI. 2. Use the following command to display the status: "show ssl_tls_settings". 3. If the output shows "default", the system administrator must first override the default settings to enable editing using the following command: "set ssl_tls_settings override". 4. For each cipher suite to be disabled, use the following procedure. Identify the numerical designation of the cipher suite using: "show ssl_tls_ciphers". 5. Use the following command to disable, replacing NNN with the appropriate number: "set ssl_tls_ciphers disable NNN". 6. Repeat this procedure to disable unapproved cipher suites. The numerical list will be reordered each time it is modified and requires careful validation. 7. In addition to specific cipher suites, a set of SSL/TLS protocols can also be enabled or disabled as desired. 8. Review the output from "show ssl_tls_protocols" from the Check procedure. 9. Use the CLI command: "set ssl_tls_protocols disable TLSv1.0", to disable TLS v1.0. 10. Use the CLI command: "set ssl_tls_protocols disable TLSv1.1", to disable TLS v1.1. 11. Use the "show ssl_tls_settings" and show "ssl_tls_protocols" commands to ensure compliance. 12. Using an approved web browser, verify functionality if protocol or TLS settings were modified. Refer to the Infoblox CLI Guide for additional information if necessary.

b
An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC.
CM-6 - Medium - CCI-000366 - V-233889 - SV-233889r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400031
Vuln IDs
  • V-233889
Rule IDs
  • SV-233889r621666_rule
Weakly bound credentials can be modified without invalidating the credential; therefore, non-repudiation can be violated. This requirement supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations and/or data owners determine and approve the strength of the binding between the information producer and the information based on the security category of the information and relevant risk factors. DNSSEC uses digital signatures to establish the identity of the producer of particular pieces of information.
Checks: C-37074r611187_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. Validate that DNSSEC validation is enabled: 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37039r611188_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox system must provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.
AU-10 - Medium - CCI-001902 - V-233890 - SV-233890r621666_rule
RMF Control
AU-10
Severity
Medium
CCI
CCI-001902
Version
IDNS-8X-400032
Vuln IDs
  • V-233890
Rule IDs
  • SV-233890r621666_rule
Without a means for identifying the individual who produced the information, the information cannot be relied on. Identifying the validity of information may be delayed or deterred. This requirement provides organizational personnel with the means to identify who produced specific information in the event of an information transfer. DNSSEC uses digital signatures to establish the identity of the producer of particular pieces of information. These signatures can be examined and verified to determine the identity of the producer of the information.
Checks: C-37075r611190_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. Validate that DNSSEC validation is enabled: 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37040r611191_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox system must validate the binding of the other DNS servers' identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
CM-6 - Medium - CCI-000366 - V-233891 - SV-233891r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400033
Vuln IDs
  • V-233891
Rule IDs
  • SV-233891r621666_rule
Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically. DNSSEC is not effective unless the digital signatures they generate are validated to ensure that the information has not been tampered with and the producer's identity is legitimate.
Checks: C-37076r611193_chk

1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.

Fix: F-37041r611194_fix

It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration and time synchronization before starting this procedure. 1. Navigate to Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". Click on "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary. 6. Verify zone transfers are operational after configuration of TSIG.

b
The Infoblox system must send a notification in the event of an error when validating the binding of another DNS server’s identity to the DNS information.
AU-10 - Medium - CCI-001906 - V-233892 - SV-233892r621666_rule
RMF Control
AU-10
Severity
Medium
CCI
CCI-001906
Version
IDNS-8X-400034
Vuln IDs
  • V-233892
Rule IDs
  • SV-233892r621666_rule
Failing to act on validation errors may result in the use of invalid, corrupted, or compromised information. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically. At a minimum, the application must log the validation error. However, more stringent actions can be taken based on the security posture and value of the information. The organization should consider the system's environment and impact of the errors when defining the actions. Additional examples of actions include automated notification to administrators, halting system process, or halting the specific operation. The DNS server should audit all failed attempts at server authentication through DNSSEC and TSIG/SIG(0). The actual auditing is performed by the OS/NDM, but the configuration to trigger the auditing is controlled by the DNS server.
Checks: C-37077r611196_chk

Infoblox systems allow configuration of DNS auditing based on selectable events. Verify that important event categories are enabled to log events. 1. Navigate to Data Management >> DNS and select "Grid DNS Properties". 2. Toggle Advanced Mode and review the "Logging" tab. 3. Validate that at a minimum the following categories are enabled: client config database dnssec lame servers network notify rate-limit resolver security transfer-in transfer-out update update-security 4. When complete, click "Cancel" to exit the "Properties" screen. If the named logging categories are not enabled, this is a finding.

Fix: F-37042r611197_fix

1. Navigate to Data Management >> DNS. Select "Grid DNS Properties". 2. Toggle Advanced Mode and review the "Logging" tab. 3. Enable the following categories using the check boxes: client config database dnssec lame servers network notify rate-limit resolver security transfer-in transfer-out update update-security 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox DNS server must provide data origin artifacts for internal name/address resolution queries.
CM-6 - Medium - CCI-000366 - V-233893 - SV-233893r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400035
Vuln IDs
  • V-233893
Rule IDs
  • SV-233893r621666_rule
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This requirement enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to ensure the authenticity and integrity of response data. In the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.
Checks: C-37078r611199_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37043r611200_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox DNS server must provide data integrity protection artifacts for internal name/address resolution queries.
CM-6 - Medium - CCI-000366 - V-233894 - SV-233894r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400036
Vuln IDs
  • V-233894
Rule IDs
  • SV-233894r621666_rule
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This requirement enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to ensure the authenticity and integrity of response data. In the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.
Checks: C-37079r611202_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37044r611203_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox system must notify the system administrator when a component failure is detected.
CM-6 - Medium - CCI-000366 - V-233895 - SV-233895r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400037
Vuln IDs
  • V-233895
Rule IDs
  • SV-233895r621666_rule
Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue operating in an insecure state. The organization must be prepared and the application must support requirements that specify if the application must alarm for such conditions and/or automatically shut down the application or the system. This can include conducting a graceful application shutdown to avoid losing information. Automatic or manual transfer of components from standby to active mode can occur, for example, upon detection of component failures.
Checks: C-37080r611205_chk

Infoblox systems are capable of providing notifications via remote SYSLOG, SNMP, and SMTP. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Verify that "Log to External Syslog Servers" is enabled and an External Syslog Server is configured. 4. When complete, click "Cancel" to exit the "Properties" screen. If no external notifications are enabled, this is a finding.

Fix: F-37045r611206_fix

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the Monitoring tab. 3. Enable "Log to External Syslog Servers" using the check box. 4. Configure an "External Syslog Server". 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Review the SYSLOG data on the remote SYSLOG server to validate operation.

b
The Infoblox DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.
CM-6 - Medium - CCI-000366 - V-233896 - SV-233896r621666_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IDNS-8X-400038
Vuln IDs
  • V-233896
Rule IDs
  • SV-233896r621666_rule
Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel). If a component such as DNSSEC signing capabilities were to fail, the DNS server should shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly in this state.
Checks: C-37081r611208_chk

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS server configuration to validate external name servers are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". 4. Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

Fix: F-37046r611209_fix

1. Refer to the Infoblox NIOS Administrator Guide, Chapters "Deploying a Grid", and "Configuring DNS Zones", section "Assigning Zone Authority to Name Servers", if necessary. 2. Configure a Grid Master Candidate or define a local policy to re-role a secondary name server.

b
The Infoblox system must prohibit or restrict unapproved services, ports, and protocols.
CM-7 - Medium - CCI-000382 - V-233897 - SV-233897r621666_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
IDNS-8X-400039
Vuln IDs
  • V-233897
Rule IDs
  • SV-233897r621666_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Infoblox systems provide DNS, Dynamic Host Configuration Protocol (DHCP), and IP Address Management (DDI) services. Some of the functions and services provided may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., DNS and DHCP); however, doing so increases risk over limiting the services provided by any one component. This risk may be increased depending on placement in the network. Internal systems often provide DNS and DHCP; however, external systems or those in a DMZ provide only DNS.
Checks: C-37082r611211_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. By default, all services other than those required for management are disabled. Validate that no additional services have been enabled for DNS members. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab and review each service and member status at the top of the panel. Depending on purchased options, Infoblox DNS members may be running DNS and optionally running services supporting DNS and security operations such as DNS Traffic Control, Threat Protection, Threat Analytics, and TAXII services. Use of these additional Infoblox services is not a finding. If any unnecessary services such as file distribution services are enabled on the DNS members, this is a finding. Note: Once DNSSEC is enabled, the DNS service will be required to be running on the Grid Master, and it will be placed into stealth mode.

Fix: F-37047r611212_fix

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Services" tab. 3. Select each available service at the top of the panel and review the service status. 4. Click on the member and disable unnecessary services.

b
The Infoblox system must require devices to reauthenticate for each zone transfer and dynamic update request connection attempt.
IA-11 - Medium - CCI-002039 - V-233898 - SV-233898r621666_rule
RMF Control
IA-11
Severity
Medium
CCI
CCI-002039
Version
IDNS-8X-500001
Vuln IDs
  • V-233898
Rule IDs
  • SV-233898r621666_rule
Without reauthenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of devices, including but not limited to the following other situations: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) After a fixed period of time; or (v) Periodically. DNS does perform server authentication when DNSSEC is used, but this authentication is transactional in nature (each transaction has its own authentication performed). Therefore, this requirement is applicable for every server-to-server transaction request.
Checks: C-37083r611214_chk

1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.

Fix: F-37048r611215_fix

Note that TSIG relies on both key and time synchronization. TSIG will fail if the local clocks on both names are not synchronized. 1. Navigate to Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Verify zone transfers are operational after configuration of TSIG.

b
When using non-Grid DNS servers for zone transfers, each name server must use TSIG to uniquely identify the other server.
IA-3 - Medium - CCI-000778 - V-233899 - SV-233899r621666_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-000778
Version
IDNS-8X-500002
Vuln IDs
  • V-233899
Rule IDs
  • SV-233899r621666_rule
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG), thus uniquely identifying the other server.
Checks: C-37084r611217_chk

1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. Verify that each zone that contains non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 4. When complete, click "Cancel" to exit the "Properties" screen. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.

Fix: F-37049r611218_fix

1. Navigate to Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". 3. Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 4. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 5. Verify that both the Infoblox and other DNS server have the identical TSIG configuration. 6. Verify that both the Infoblox and other DNS server have time synchronized properly. Note that TSIG relies on both key and time synchronization. TSIG will fail if the local clocks on both names are not synchronized. 7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 8. Perform a service restart if necessary. 9. Verify zone transfers are operational after configuration of TSIG.

b
The Infoblox DNS server must authenticate to any external (non-Grid) DNS servers before responding to a server-to-server transaction.
IA-3 - Medium - CCI-001958 - V-233900 - SV-233900r621666_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
IDNS-8X-500003
Vuln IDs
  • V-233900
Rule IDs
  • SV-233900r621666_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices can access the system. This requirement applies to server-to-server (zone transfer) transactions only and is provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG).
Checks: C-37085r611220_chk

1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If the all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.

Fix: F-37050r611221_fix

Note that TSIG relies on both key and time synchronization. TSIG will fail if the local clocks on both names are not synchronized. 1. Navigate to the Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Verify zone transfers are operational after configuration of TSIG.

b
The Infoblox DNS server must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.
IA-3 - Medium - CCI-001967 - V-233901 - SV-233901r621666_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001967
Version
IDNS-8X-500004
Vuln IDs
  • V-233901
Rule IDs
  • SV-233901r621666_rule
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. This requirement applies to server-to-server (zone transfer) transactions only and is provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG).
Checks: C-37086r611223_chk

1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.

Fix: F-37051r611224_fix

It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration and time synchronization before starting this procedure. 1. Navigate to the Data Management >> DNS >> Zones tab. 2. Select a zone and click "Edit". Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary. Verify zone transfers are operational after configuration of TSIG.

b
Infoblox systems that communicate with non-Grid name servers must use a unique Transaction Signature (TSIG).
IA-5 - Medium - CCI-000186 - V-233902 - SV-233902r621666_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
IDNS-8X-500005
Vuln IDs
  • V-233902
Rule IDs
  • SV-233902r621666_rule
To enable zone transfer (requests and responses) through authenticated messages, it is necessary to generate a key for every pair of name servers. The key also can be used for securing other transactions, such as dynamic updates, DNS queries, and responses. The binary key string that is generated by most key generation utilities used with DNSSEC is Base64 encoded. TSIG is a string used to generate the message authentication hash stored in a TSIG resource record (RR) and used to authenticate an entire DNS message. The process of authenticating the source of a message and its integrity through hash-based message authentication codes (HMAC) is specified through a set of DNS specifications known collectively as TSIG. The sender of the message uses the HMAC function to generate a MAC and sends this MAC along with the message to the receiver. The receiver, who shares the same secret key, uses the key and HMAC function used by the sender to compute the MAC on the received message. The receiver then compares the computed MAC with the received MAC; if the two values match, it provides assurance that the message has been received correctly and that the sender belongs to the community of users sharing the same secret key. Thus, message source authentication and integrity verification are performed in a single process.
Checks: C-37087r611226_chk

1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If the all entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that all Name Servers of type Ext (Primary or Secondary) have a TSIG key configured. 5. Each zone that contains Ext non-Grid name servers must also be verified by inspection of the "Zone Transfers" tab and configuration of an Access Control Entry (ACE) that limits access to only the TSIG configured Name Servers. 6. When complete, click "Cancel" to exit the "Properties" screen. If there is an external non-Grid system that uses zone transfers but does not have a Name Server with a unique TSIG key, this is a finding.

Fix: F-37052r611227_fix

1. Navigate to Data Management >> DNS >> Zones tab. 2. Select a zone identified in the Check and click "Edit". 3. Click on the "Name Servers" tab and configure a unique TSIG key for each non-Grid Name Server, designated as type Ext. 4. Verify that the same TSIG key (Algorithm and Key Data) are configured on both name servers. 5. Click on the "Zone Transfers" tab. 6. If the Name Server configured above is not present, click "Override" for the "Allow Zone Transfers to" section. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure the Name Server configured above. 7. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 8. Repeat for any other zones identified in the Check as non-compliant. 9. Perform a service restart if necessary. 10. Verify zone transfers are operational after configuration of TSIG. Note: HMAC-SHA256 is the preferred algorithm to generate TSIG keys and should be used unless the External name server only supports HMAC-MD5.

c
The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Key Signing Key (KSK) residing on it.
IA-5 - High - CCI-000186 - V-233903 - SV-233903r621666_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000186
Version
IDNS-8X-500006
Vuln IDs
  • V-233903
Rule IDs
  • SV-233903r621666_rule
The private keys in the Key Signing Key (KSK) and ZSK key pairs must be protected from unauthorized access. If possible, the private keys should be stored offline (with respect to the internet-facing, DNSSEC-aware name server) in a physically secure, non-network-accessible machine along with the zone file master copy. This strategy is not feasible in situations in which the DNSSEC-aware name server has to support dynamic updates. To support dynamic update transactions, the DNSSEC-aware name server (which usually is a primary authoritative name server) must have both the zone file master copy and the private key corresponding to the ZSK (ZSK-private) online to immediately update the signatures for the updated resource record (RR) sets. The private key corresponding to the KSK (KSK-private) can still be kept offline. On Infoblox, Domain Name System Security Extension (DNSSEC) Zone Signing Keys (ZSKs) are stored on either a Hardware Security Module or the Infoblox Grid Master. By configuring the Grid Master as "stealth" to prevent client communications to the Infoblox Grid Master and ensuring the Grid Master uses an encrypted management tunnel to update DNS members serving DNSSEC signed zones, the DNSSEC keys are protected.
Checks: C-37088r611229_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. By default, ZSK private keys are stored encrypted within the Infoblox database on the Grid Master. The Grid Master will by default enable the DNS service when DNSSEC is enabled for internal processing. No clients should be permitted to use the Grid Master DNS service. Refer to the Infoblox STIG Overview document for additional information on HSM usage. 1. Navigate to Data Management >> DNS >> Zones. 2. Review each zone by selecting the zone, clicking "Edit", and selecting the "Name Servers" tab. 3. When complete, click "Cancel" to exit the "Properties" screen. If the Grid Master is a listed name server and not marked "Stealth", this is a finding.

Fix: F-37053r611230_fix

1. Navigate to Data Management >> DNS >> Zones. 2. Select the zone, click "Edit", and select the "Name Servers" tab. 3. Mark the Grid Master as "Stealth". 4. If no other name servers are listed, one must be added before the configuration can be valid. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.

c
The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Zone Signing Key (ZSK) residing on it.
IA-5 - High - CCI-000186 - V-233904 - SV-233904r621666_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000186
Version
IDNS-8X-500007
Vuln IDs
  • V-233904
Rule IDs
  • SV-233904r621666_rule
Security-relevant information is any information within information systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security policies or maintain the isolation of code and data. Security-relevant information includes, for example, file permissions, cryptographic key management information, configuration parameters for security services, and access control lists. Secure, non-operable system states include the times in which information systems are not performing mission/business-related processing (e.g., the system is offline for maintenance, troubleshooting, bootup, and shutdown). On Infoblox, Domain Name System Security Extension (DNSSEC) Zone Signing Keys (ZSKs) are stored on either a Hardware Security Module or the Infoblox Grid Master. By configuring the Grid Master as "stealth" to prevent client communications to the Infoblox Grid Master and ensuring the Grid Master uses an encrypted management tunnel to update DNS members serving DNSSEC signed zones, the DNSSEC keys are protected.
Checks: C-37089r611232_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. By default, Zone Signing Key (ZSK) private keys are stored encrypted within the Infoblox database on the Grid Master. The Grid Master will by default enable the DNS service when DNSSEC is enabled for internal processing. No clients should be permitted to use the Grid Master DNS service. Refer to the Infoblox STIG Overview document for additional information on HSM usage. 1. Navigate to Data Management >> DNS >> Zones. 2. Review each zone by selecting the zone, clicking "Edit", and selecting the "Name Servers" tab. 3. When complete, click "Cancel" to exit the "Properties" screen. If the Grid Master is a listed name server and not marked "Stealth", this is a finding.

Fix: F-37054r611233_fix

1. Navigate to Data Management >> DNS >> Zones. 2. Select the zone, click "Edit", and select the "Name Servers" tab. 3. Mark the Grid Master as "Stealth". 4. If no other name servers are listed, one must be added before the configuration can be valid. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.

b
The Infoblox system must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.
MA-4 - Medium - CCI-000877 - V-233905 - SV-233905r621666_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-000877
Version
IDNS-8X-600001
Vuln IDs
  • V-233905
Rule IDs
  • SV-233905r621666_rule
If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, Public Key Infrastructure (PKI) where certificates are stored on a token protected by a password, passphrase, or biometric. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance but are a part of the system (e.g., the software implementing "ping", "ls", "ipconfig", or the hardware and software implementing the monitoring port of an Ethernet switch). Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Authorization for access to any network element requires an individual account identifier that has been approved, assigned, and configured on an authentication server. Authentication of all administrator accounts for all privilege levels must be accomplished using two or more factors that include the following: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).
Checks: C-37090r611235_chk

Review the configuration of external authentication methods to verify that multifactor authentication is enabled. 1. Navigate to Administration >> Administrators >> Authentication Policy. 2. Ensure multifactor authentication is enabled by validating that the multiple authentication methods are enabled and that the local database is the last entry in the list. 3. When complete, click "Cancel" to exit the "Properties" screen. If the aggregate authentication policy does not provide two or more factors, this is a finding.

Fix: F-37055r611236_fix

Note: Refer to the Infoblox Administrator Guide for details on each type of authentication server. 1. Navigate to Administration >> Authentication Server Groups. 2. Configure at least one remote authentication group (OCSP, TACACS+, RADIUS, LDAP, or Active Directory). 3. Navigate to Administration >> Administrators >> Authentication Policy. 4. Configure the remote authentication source as primary by placing it at the top of the list. 5. If necessary, move the Local User Database entry to the bottom of the list so it is used last. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.

c
The Infoblox DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.
SC-13 - High - CCI-002450 - V-233906 - SV-233906r621666_rule
RMF Control
SC-13
Severity
High
CCI
CCI-002450
Version
IDNS-8X-700001
Vuln IDs
  • V-233906
Rule IDs
  • SV-233906r621666_rule
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Checks: C-37091r611238_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. Note: For Infoblox Grids that run in FIPS mode, this requirement is Not Applicable. Refer to the Administrator Guide for more information on FIPS Mode. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Validate that all Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs) use FIPS-approved algorithms. 4. When complete, click "Cancel" to exit the "Properties" screen. If non-FIPS-approved algorithms are in use, this is a finding.

Fix: F-37056r611239_fix

Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Configure FIPS-compliant algorithms. 4. Follow manual key rollover procedures and update all non-compliant KSKs and ZSKs to use FIPS-approved algorithms.

b
The Infoblox system must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.
SC-20 - Medium - CCI-001178 - V-233907 - SV-233907r621666_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001178
Version
IDNS-8X-700002
Vuln IDs
  • V-233907
Rule IDs
  • SV-233907r621666_rule
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. The security objective is to verify the integrity of each response received. An integral part of integrity verification is to ensure that valid data has originated from the right source. Establishing trust in the source is called data origin authentication. The security objectives, and consequently the security services, that are required for securing the DNS query/response transaction are data origin authentication and data integrity verification. The specification for a digital signature mechanism in the context of the DNS infrastructure is in the Internet Engineering Task Force's (IETF's) Domain Name System Security Extension (DNSSEC) standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor.
Checks: C-37092r611241_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on "DNSSEC" tab, and verify that "Enable DNSSEC" is enabled. 3. Navigate to Data Management >> DNS >> Zones. Verify that the "Signed" column is displayed. 4. Validate that all external authoritative zones are signed by displaying "Yes". 5. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC is not enabled and external authoritative zones are not signed, this is a finding.

Fix: F-37057r611242_fix

Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Zones tab. 2. Place a check mark in the box next to the desired external authoritative zone. Using the "DNSSEC" drop-down menu in the toolbar, select "Sign zones". 3. Acknowledge the informational banner and the service restart banner if prompted.

b
The Infoblox DNS Server must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
SC-20 - Medium - CCI-002462 - V-233908 - SV-233908r621666_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-002462
Version
IDNS-8X-700003
Vuln IDs
  • V-233908
Rule IDs
  • SV-233908r621666_rule
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data origin authentication, establishing trust in the source. This requirement enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to ensure the authenticity and integrity of response data. In the case of DNS, employ DNSSEC to provide an additional data origin and integrity artifacts along with the authoritative data the system returns in response to DNS name/address resolution queries.
Checks: C-37093r611244_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Verify that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37058r611245_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox DNS server implementation must provide the means to indicate the security status of child zones.
SC-20 - Medium - CCI-001179 - V-233909 - SV-233909r621666_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001179
Version
IDNS-8X-700004
Vuln IDs
  • V-233909
Rule IDs
  • SV-233909r621666_rule
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the Domain Name System Security Extension (DNSSEC) chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS, to map between host/service names and network addresses, must provide other means to ensure the authenticity and integrity of response data. In DNS, trust in the public key of the source is established by starting from a trusted name server and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor. A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate. In DNS, a trust anchor is a DNSKEY that is placed into a validating resolver so the validator can cryptographically validate the results for a given request back to a known public key (the trust anchor). An example means to indicate the security status of child subspaces is through the use of DS resource records in the DNS. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Without path validation and a chain of trust, there can be no trust that the data integrity authenticity has been maintained during a transaction.
Checks: C-37094r611247_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. Infoblox systems within a Grid configuration automatically publish DS records to the parent zone when the child zone is signed. If all name servers for parent and child zones are within an Infoblox Grid, this is not a finding. 1. Review the parent zones hosted on the Infoblox server for which the child zone is on the same Infoblox Grid. 2. Verify that each zone includes the DS records for the child zone. If DS records are not published in the parent zone for DNSSEC signed zones, this is a finding.

Fix: F-37059r611248_fix

1. Navigate to Data Management >> DNS >> Zones tab. 2. Select the parent zone and use the DNSSEC drop-down menu to select "Import Keyset". 3. Add the child zone DS resource records (RRs) and select "Import". 4. Click "Save" and "Close".

b
The validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) RR for a zone's delegated children must be no less than two days and no more than one week.
SC-20 - Medium - CCI-001179 - V-233910 - SV-233910r621666_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001179
Version
IDNS-8X-700005
Vuln IDs
  • V-233910
Rule IDs
  • SV-233910r621666_rule
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a Zone Signing Key (ZSK) can use that key only during the Key Signing Key's (KSK's) signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods should be short, which will require frequent re-signing. To prevent the impact of a compromised KSK, a delegating parent should set the signature validity period for RRSIGs covering DS RRs in the range of a few days to one week. This re-signing does not require frequent rollover of the parent's ZSK, but scheduled ZSK rollover should still be performed at regular intervals.
Checks: C-37095r611250_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on "DNSSEC" tab, and review the "Signature Validity" setting. 3. Validate that the Signature Validity is configured for a range of no less than two days and no more than one week. 4. When complete, click "Cancel" to exit the "Properties" screen. If the Signature Validity period is less than two days or greater than one week, this is a finding.

Fix: F-37060r611251_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode, click on "DNSSEC" tab, and edit the "Signature Validity" setting to a period between two days and one week. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Any zones that used an incorrect value should perform a ZSK rollover to update the inception and expiration dates with the new value. 5. Navigate to Data Management >> DNS and select the "Zones" tab. 6. Using the zone selection check boxes and the DNSSEC drop-down menu, select "Rollover Zone-Signing Key". 7. When prompted, select "Roll Over". 8. Perform a service restart if necessary.

b
The Infoblox DNS server implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.
SC-20 - Medium - CCI-001663 - V-233911 - SV-233911r621666_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001663
Version
IDNS-8X-700006
Vuln IDs
  • V-233911
Rule IDs
  • SV-233911r621666_rule
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application-specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services or provide a message-filtering capability based on message content (e.g., implementing keyword searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. Within the context of DNS, this is applicable in terms of controlling the flow of DNS information between systems, such as DNS zone transfers.
Checks: C-37096r611253_chk

Review the configuration of Infoblox DNS systems and verify that communication flow is validated. 1. Review the Infoblox DNS configuration to verify that only approved communications are allowed. 2. Use of Access Control Lists to control clients, DNS zone transfer configuration to systems external to the Infoblox Grid, and Grid member configuration can be used to control communications as desired. Infoblox systems within the same Grid use internal database updates and do not perform zone transfers. If all systems are within the same Infoblox Grid, this is not a finding. If the Infoblox system is configured to perform zone transfers to non-Grid systems, access control must be used. Otherwise, this is a finding.

Fix: F-37061r611254_fix

Zone transfers can be restricted at the Grid, Member, and Zone level. Configuration is inherited and can be overridden if necessary to construct the appropriate access control. Refer to the Infoblox Administrator Guide if necessary. 1. Grid-level configuration: Navigate to Data Management >> DNS >> Zones tab. 2. Click "Grid DNS Properties" and toggle Advanced Mode. 3. Member-level configuration: Navigate to Data Management >> DNS >> Members tab. 4. Click "Edit" to review each member with the DNS service status of "Running". 5. Zone-level configuration: Navigate to Data Management >> DNS >> Zones tab. 6. Select the "Zone Transfers" tab. 7. Click "Override" to set permissions for "Allow zone transfers to". 8. Configure IPv4 and IPv6 networks, addresses, and TSIG keys to restrict zone transfers.

b
The Infoblox DNS server must enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
SC-20 - Medium - CCI-001663 - V-233912 - SV-233912r621666_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001663
Version
IDNS-8X-700007
Vuln IDs
  • V-233912
Rule IDs
  • SV-233912r621666_rule
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associated with child zones informs clients of the security status of child zones. These records are crucial to the DNSSEC chain of trust model. Each parent domain's DS record is used to verify the DNSKEY record in its subdomain, from the top of the DNS hierarchy down. A DNS server is an example of an information system providing name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data. Applications other than the DNS to map between host/service names and network addresses must provide other means to ensure the authenticity and integrity of response data. DNSSEC provides the means to verify integrity assurances for the host/service name to network address resolution information obtained through the service. By using the delegation signer (DS) resource records in the DNS, the security status of a child domain can be validated. The DS resource record is used to identify the DNSSEC signing key of a delegated zone. The chain of trust is established starting with a trusted name server (such as the root name server) and moving down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted name servers is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. This requires that responses consist of not only the requested resource records (RRs) but also an authenticator associated with them. In DNSSEC, this authenticator is the digital signature of an RRSet. The digital signature of an RRSet is encapsulated through a special RRType called RRSIG. The DNS client using the trusted public key of the source (whose trust has just been established) then verifies the digital signature to detect if the response is valid or bogus. This control enables the DNS to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Without indication of the security status of a child domain and enabling verification of a chain of trust, integrity and availability of the DNS infrastructure cannot be assured.
Checks: C-37097r611256_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. The Authoritative Check applies to external-facing authoritative zones: 1. Navigate to Data Management >> DNS >> Zones. Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the "Zones" tab. 2. Verify that external authoritative zones are DNSSEC signed. Recursive Check: 1. Navigate to Data Management >> DNS. Edit "Grid DNS Properties", toggle Advanced Mode, and select the DNSSEC tab. 2. Validate that both "Enable DNSSEC" and "Enable DNSSEC Validation" options are enabled. 3. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC is not used for authoritative DNS and enabled for recursive clients, this is a finding.

Fix: F-37062r611257_fix

Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. Authoritative Fix: 1. Navigate to Data Management >> DNS >> Zones. 2. Select the appropriate zone using the check box. From the "DNSSEC" drop-down menu, select "Sign Zones". 3. Follow prompts to acknowledge zone signing. 4. Perform a service restart if necessary. Recursive Fix: 1. Navigate to Data Management >> DNS >> Zones. 2. Edit "Grid DNS Properties", toggle Advanced Mode, and select the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC Validation" options. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox DNS server must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.
SC-21 - Medium - CCI-002465 - V-233913 - SV-233913r621666_rule
RMF Control
SC-21
Severity
Medium
CCI
CCI-002465
Version
IDNS-8X-700008
Vuln IDs
  • V-233913
Rule IDs
  • SV-233913r621666_rule
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data origin authentication must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.
Checks: C-37098r611259_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37063r611260_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox DNS server must request data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-21 - Medium - CCI-002466 - V-233914 - SV-233914r621666_rule
RMF Control
SC-21
Severity
Medium
CCI
CCI-002466
Version
IDNS-8X-700009
Vuln IDs
  • V-233914
Rule IDs
  • SV-233914r621666_rule
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.
Checks: C-37099r611262_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37064r611263_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox DNS server must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-21 - Medium - CCI-002467 - V-233915 - SV-233915r621666_rule
RMF Control
SC-21
Severity
Medium
CCI
CCI-002467
Version
IDNS-8X-700010
Vuln IDs
  • V-233915
Rule IDs
  • SV-233915r621666_rule
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.
Checks: C-37100r611265_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37065r611266_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox DNS server must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.
SC-21 - Medium - CCI-002468 - V-233916 - SV-233916r621666_rule
RMF Control
SC-21
Severity
Medium
CCI
CCI-002468
Version
IDNS-8X-700011
Vuln IDs
  • V-233916
Rule IDs
  • SV-233916r621666_rule
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.
Checks: C-37101r611268_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37066r611269_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers when communicating with external DNS servers.
SC-23 - Medium - CCI-001184 - V-233917 - SV-233917r621666_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
IDNS-8X-700012
Vuln IDs
  • V-233917
Rule IDs
  • SV-233917r621666_rule
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. Communication sessions between different DNS systems should employ protections such as DNSSEC or TSIG to validate the integrity of data being transmitted.
Checks: C-37102r611271_chk

1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. 3. If all name server entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding.

Fix: F-37067r611272_fix

1. Navigate to Data Management >> DNS >> Zones tab. Select a zone and click "Edit". 2. Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration and time synchronization. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Verify zone transfers are operational after configuration of TSIG.

b
Infoblox DNS servers must protect the authenticity of communications sessions for dynamic updates.
SC-23 - Medium - CCI-001184 - V-233918 - SV-233918r621666_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
IDNS-8X-700013
Vuln IDs
  • V-233918
Rule IDs
  • SV-233918r621666_rule
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. Communication sessions between different DNS clients and servers should employ protections such as DNSSEC or TSIG to validate the integrity of data being transmitted.
Checks: C-37103r611274_chk

Infoblox Systems can be configured in two ways to limit DDNS client updates. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Verify that "Enable GSS-TSIG authentication of clients" is enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Verify that either a Named ACL or set of Access Control Entries (ACEs) is used to limit client DDNS updates. 6. When complete, click "Cancel" to exit the "Properties" screen. If clients that support GSS-TSIG do not have "Enable GSS-TSIG authentication of clients" set or a named ACL or set of ACEs for clients that do not support GSS-TSIG, this is a finding.

Fix: F-37068r611275_fix

Infoblox Systems can be configured in two ways to limit DDNS client updates. Refer to the Administrator Guide for detailed instructions. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Configure the option "Enable GSS-TSIG authentication of clients". 5. Upload the required keys. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Select an existing Named ACL or configure a new set of ACEs to limit client DDNS. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.

b
Infoblox DNS servers must protect the authenticity of communications sessions for queries.
SC-23 - Medium - CCI-001184 - V-233919 - SV-233919r621666_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
IDNS-8X-700014
Vuln IDs
  • V-233919
Rule IDs
  • SV-233919r621666_rule
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of integrity verification is to ensure that valid data has originated from the right source. DNSSEC is required for securing the DNS query/response transaction by providing data origin authentication and data integrity verification through signature verification and the chain of trust.
Checks: C-37104r611277_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

Fix: F-37069r611278_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
In the event of a system failure, the Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
SC-24 - Medium - CCI-001665 - V-233920 - SV-233920r621666_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001665
Version
IDNS-8X-700015
Vuln IDs
  • V-233920
Rule IDs
  • SV-233920r621666_rule
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Preserving application state information helps to facilitate application restart and return to the operational mode of the organization with less disruption to mission-essential processes.
Checks: C-37105r611280_chk

By default, all system events are logged to the local SYSLOG and stored on the Infoblox appliance. To ensure log data is preserved in the event of system failure, an external log server must be configured. Verify that external logging is operational and messages from the Audit log are also forwarded to the remote log system. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Validate that "Log to External Syslog Servers" is enabled and an External Syslog Server must be configured. 4. Validate "Copy Audit Log Message to Syslog" is enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. If both "Log to External Syslog Servers" and "Copy Audit Log Message to Syslog" are not enabled, this is a finding.

Fix: F-37070r611281_fix

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Enable "Log to External Syslog Server" and configure at least one External Syslog Server. 4. Enable the option "Copy Audit Log Message to Syslog". 5. Click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.

b
The Infoblox system must restrict the ability of individuals to use the DNS server to launch denial-of-Service (DoS) attacks against other information systems.
SC-5 - Medium - CCI-001094 - V-233921 - SV-233921r621666_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001094
Version
IDNS-8X-700016
Vuln IDs
  • V-233921
Rule IDs
  • SV-233921r621666_rule
The Infoblox system must restrict the ability of individuals to use the DNS server to launch DoS attacks against other information systems.
Checks: C-37106r611283_chk

Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Primary consideration for this check should be given to client restrictions such as disabling open recursive servers, using Access Control Lists (ACLs) to limit client communication, and placement in secure network architecture to prevent address spoofing. 1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. For external authoritative name servers: a. Select the "Queries" tab. b. Verify the "Allow Recursion" check box is not enabled. 3. For internal name servers: a. On the "Updates" tab, verify that an ACL or Access Control Entry (ACE) for "Allow updates from" is enabled. b. On the "Queries" tab, verify that either an ACL or ACE for "Allow queries from" is enabled. 4. When complete, click "Cancel" to save the changes and exit the "Properties" screen. If there is an open recursive DNS service on external name servers, or unrestricted access to internal name servers, this is a finding.

Fix: F-37071r611284_fix

1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Select the "Queries" tab. 3. For external authoritative name servers, disable "Allow Recursion" by clearing the check box. 4. For internal name servers, on the "Updates" tab, configure either an ACL or ACE for "Allow updates from". 5. On the "Queries" tab, configure either an ACL or ACE for "Allow queries from". 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.

b
The Infoblox system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks.
SC-5 - Medium - CCI-001095 - V-233922 - SV-233922r621666_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
IDNS-8X-700017
Vuln IDs
  • V-233922
Rule IDs
  • SV-233922r621666_rule
A DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. In the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time. A DoS attack against the DNS infrastructure has the potential to cause a DoS to all network users. As the DNS is a distributed backbone service of the internet, various forms of amplification attacks resulting in DoS, while using the DNS, are still prevalent on the internet today. Some potential DoS flooding attacks against the DNS include malformed packet flood, spoofed source addresses, and distributed DoS. Without the DNS, users and systems would not have the ability to perform simple name-to-IP resolution. Configuring the DNS implementation to defend against cache poisoning, employing increased capacity and bandwidth, building redundancy into the DNS architecture, using DNSSEC, and limiting and securing recursive services, DNS black holes, etc., may reduce the susceptibility to some flooding types of DoS attacks.
Checks: C-37107r611286_chk

Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Use of rate limiting can reduce risk from cache poisoning attacks and DoS attacks. 1. Log on to the Infoblox system CLI and issue the following commands: "show ip_rate_limit" and "show dns_rrl" 2. Review the output from these commands with the network architecture. 3. If the system uses the Advanced DNS Protection (ADP) (Threat Protection) feature, IP rate limiting is implemented using the DNS security rule-set available in the web GUI. If the ADP feature set is implemented, use of the ip_rate_limit and dns_rrl CLI commands is not required, and this check is Not Applicable. Refer to the Infoblox Admin Guide for additional details if needed. If rate limiting is not configured on the Infoblox system or within the network security architecture protecting the Infoblox system, this is a finding.

Fix: F-37072r611287_fix

Prior to implementation, review the Infoblox CLI Guide and verify all configuration options. 1. Log on to the Infoblox system using the CLI. 2. Use "set ip_rate_limit [OPTIONS}" to reduce risk of cache poisoning attacks by rate limiting udp/53 traffic. 3. Use "set dns_rrl [OPTIONS]" to enable DNS response rate limiting. 4. Upon completion, log out of the CLI. This helps reduce the risk of DoS attacks by reducing the rate at which authoritative name servers respond to queries, such as a flood.

b
The Infoblox DNS server must protect the integrity of transmitted information.
SC-8 - Medium - CCI-002418 - V-233923 - SV-233923r621666_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
IDNS-8X-700018
Vuln IDs
  • V-233923
Rule IDs
  • SV-233923r621666_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Confidentiality is not an objective of DNS, but integrity is. DNSSEC digitally signs DNS information to authenticate its source and ensure its integrity.
Checks: C-37108r611289_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Verify that DNSSEC is enabled by navigating to Data Management >> DNS >> Grid DNS properties tab. 2. Toggle Advanced Mode and review the "DNSSEC" tab to verify that DNSSEC is enabled. 3. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC validation is not enabled, this is a finding.

Fix: F-37073r611290_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties tab. 2. Toggle Advanced Mode and select the "DNSSEC" tab. 3. Enable DNSSEC by selecting the check box. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox DNS server must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
SC-8 - Medium - CCI-002421 - V-233924 - SV-233924r621666_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002421
Version
IDNS-8X-700019
Vuln IDs
  • V-233924
Rule IDs
  • SV-233924r621666_rule
Encrypting information for transmission protects it from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. Confidentiality is not an objective of DNS, but integrity is. DNSSEC digitally signs DNS information to authenticate its source and ensure its integrity.
Checks: C-37109r611292_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Verify that DNSSEC is enabled by navigating to Data Management >> DNS >> Grid DNS properties tab. 2. Toggle Advanced Mode and review the "DNSSEC" tab to verify that DNSSEC is enabled. 3. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC validation is not enabled, this is a finding.

Fix: F-37074r611293_fix

1. Navigate to Data Management >> DNS >> Grid DNS properties tab. 2. Toggle Advanced Mode and select the "DNSSEC" tab. 3. Enable DNSSEC by selecting the check box. 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

b
The Infoblox DNS server implementation must maintain the integrity of information during preparation for transmission.
SC-8 - Medium - CCI-002420 - V-233925 - SV-233925r621666_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002420
Version
IDNS-8X-700020
Vuln IDs
  • V-233925
Rule IDs
  • SV-233925r621666_rule
Information can be unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Confidentiality is not an objective of DNS, but integrity is. DNS is responsible for maintaining the integrity of DNS information while it is being prepared for transmission.
Checks: C-37110r611295_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Zones. 2. For all external-facing authoritative zones and review all external authoritative zones. Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the "Zones" tab. 3. Verify that external authoritative zones are DNSSEC signed. If DNSSEC is not used for authoritative DNS, this is a finding.

Fix: F-37075r611296_fix

Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Zones. 2. Select the appropriate zone using the check box. Using the "DNSSEC" drop-down menu, select "Sign Zones". 3. Follow prompts to acknowledge zone signing. 4. Perform a service restart if necessary.

b
The Infoblox DNS server implementation must maintain the integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-233926 - SV-233926r621666_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002422
Version
IDNS-8X-700021
Vuln IDs
  • V-233926
Rule IDs
  • SV-233926r621666_rule
Information can be unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Confidentiality is not an objective of DNS, but integrity is. DNS is responsible for maintaining the integrity of DNS information while it is being received.
Checks: C-37111r611298_chk

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Zones. 2. For all external-facing authoritative zones and review all external authoritative zones. Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the Zones tab. Verify that external authoritative zones are DNSSEC signed. If DNSSEC is not used for authoritative DNS this is a finding.

Fix: F-37076r611299_fix

Note: Ensure DNSSEC is configured to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Zones. 2. Select the appropriate zone using the check box. Using the "DNSSEC" drop-down menu, select "Sign Zones". 3. Follow prompts to acknowledge zone signing. 4. Perform a service restart if necessary.

b
The Infoblox system must notify the ISSO and ISSM in the event of failed security verification tests.
SI-6 - Medium - CCI-001294 - V-233927 - SV-233927r621666_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-001294
Version
IDNS-8X-800001
Vuln IDs
  • V-233927
Rule IDs
  • SV-233927r621666_rule
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. If personnel are not notified of failed security verification tests, they will not be able to take corrective action, and the unsecure condition(s) will remain. Notifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights. The Infoblox system must be configured to generate audit records whenever a self-test fails.
Checks: C-37112r611301_chk

Infoblox systems are capable of providing notifications via remote SYSLOG, SNMP, and SMTP. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the Monitoring tab. 3. Verify that "Log to External Syslog Servers" is enabled and an External Syslog Server is configured. 4. When complete, click "Cancel" to exit the "Properties" screen. If no external notifications are enabled, this is a finding.

Fix: F-37077r611302_fix

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the Monitoring tab. 3. Enable "Log to External Syslog Servers" using the check box. 4. Configure an "External Syslog Server". 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Review the SYSLOG data on the remote SYSLOG server to validate operation.

b
The Infoblox DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.
SI-6 - Medium - CCI-002702 - V-233928 - SV-233928r621666_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002702
Version
IDNS-8X-800002
Vuln IDs
  • V-233928
Rule IDs
  • SV-233928r621666_rule
Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes but is not limited to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. If anomalies are not acted upon, security functions may fail to secure the system. The DNS server does not have the capability of shutting down or restarting the information system. The DNS server can be configured to generate audit records when anomalies are discovered, and the OS/NDM can then trigger notification messages to the system administrator based on the presence of those audit records.
Checks: C-37113r611304_chk

Infoblox systems are capable of providing notifications via remote SYSLOG, SNMP, and SMTP. 1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Verify that "Log to External Syslog Servers" is enabled and an External Syslog Server is configured. 4. Click "Cancel" to exit the "Properties" screen. 5. Navigate to DNS >> DNS Management and select Grid or System DNS Properties if using a stand-alone configuration. 6. Toggle Advanced Mode and select the "Logging" tab. Validate that the "dnsssec" SYSLOG category is enabled. 7. When complete, click "Cancel" to exit the "Properties" screen. If DNSSEC is not configured to send external notifications to a valid external SYSLOG server, this is a finding.

Fix: F-37078r611305_fix

1. Navigate to Grid >> Grid Manager >> Grid Properties, or System >> System Manager >> System Properties if using a stand-alone configuration. 2. Select the "Monitoring" tab. 3. Enable "Log to External Syslog Servers" using the check box. 4. Configure an "External Syslog Server". 5. Click "Save & Close" to save the changes and exit the "Properties" screen. 6. Navigate to DNS >> DNS Management and select Grid or System DNS Properties if using a stand-alone configuration. 7. Toggle Advanced Mode and select the "Logging" tab. 8. Enable the "dnsssec" SYSLOG category. 9. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 10. Perform a service restart if necessary.