Skip to content
Log In

Infoblox 7.x DNS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000215-DNS-000003

    Group
    Show

  • SRG-APP-000215-DNS-000026

    Group
    Show

  • A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

    If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associat...
    Rule Medium Severity
    Show

  • SRG-APP-000219-DNS-000028

    Group
    Show

  • SRG-APP-000421-DNS-000054

    Group
    Show

  • SRG-APP-000219-DNS-000029

    Group
    Show

  • Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.

    DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protect...
    Rule Medium Severity
    Show

  • SRG-APP-000219-DNS-000030

    Group
    Show

  • Infoblox DNS servers must be configured to protect the authenticity of communications sessions for queries.

    The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of ...
    Rule Medium Severity
    Show

  • SRG-APP-000226-DNS-000032

    Group
    Show

  • SRG-APP-000246-DNS-000035

    Group
    Show

  • The Infoblox system must be configured to restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.

    A DoS is a condition where a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Individual...
    Rule Medium Severity
    Show

  • SRG-APP-000247-DNS-000036

    Group
    Show

  • SRG-APP-000268-DNS-000039

    Group
    Show

  • SRG-APP-000347-DNS-000041

    Group
    Show

  • An Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC.

    Weakly bound credentials can be modified without invalidating the credential; therefore, non-repudiation can be violated. This requirement supports audit requirements that provide organizational p...
    Rule Medium Severity
    Show

  • SRG-APP-000348-DNS-000042

    Group
    Show

  • The Infoblox system must be configured to provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.

    Without a means for identifying the individual that produced the information, the information cannot be relied upon. Identifying the validity of information may be delayed or deterred. This requir...
    Rule Medium Severity
    Show

  • SRG-APP-000349-DNS-000043

    Group
    Show

  • The DNS server implementation must maintain the integrity of information during preparation for transmission.

    Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, an...
    Rule Medium Severity
    Show

  • SRG-APP-000442-DNS-000067

    Group
    Show

  • SRG-APP-000383-DNS-000047

    Group
    Show

  • SRG-APP-000394-DNS-000049

    Group
    Show

  • The Infoblox system must authenticate the other DNS server before responding to a server-to-server transaction.

    Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage de...
    Rule Medium Severity
    Show

  • SRG-APP-000395-DNS-000050

    Group
    Show

  • The DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.

    Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the...
    Rule Medium Severity
    Show

  • SRG-APP-000420-DNS-000053

    Group
    Show

  • A DNS server implementation must provide data origin artifacts for internal name/address resolution queries.

    The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...
    Rule Medium Severity
    Show

  • SRG-APP-000422-DNS-000055

    Group
    Show

  • A DNS server implementation must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.

    The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...
    Rule Medium Severity
    Show

  • SRG-APP-000423-DNS-000056

    Group
    Show

  • A DNS server implementation must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.

    If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...
    Rule Medium Severity
    Show

  • SRG-APP-000424-DNS-000057

    Group
    Show

  • A DNS server implementation must request data integrity verification on the name/address resolution responses the system receives from authoritative sources.

    If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...
    Rule Medium Severity
    Show

  • SRG-APP-000425-DNS-000058

    Group
    Show

  • SRG-APP-000426-DNS-000059

    Group
    Show

  • SRG-APP-000439-DNS-000063

    Group
    Show

  • The Infoblox system must be configured to must protect the integrity of transmitted information.

    Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. Communication p...
    Rule Medium Severity
    Show

  • SRG-APP-000440-DNS-000065

    Group
    Show

  • The Infoblox system must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

    Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for exampl...
    Rule Medium Severity
    Show

  • SRG-APP-000441-DNS-000066

    Group
    Show

  • A secure Out Of Band (OOB) network must be utilized for management of Infoblox Grid Members.

    The Infoblox Grid Master is the central point of management within an Infoblox Grid. The Grid Master retains a full copy of the configuration used for the entire Grid. The Grid Master should commun...
    Rule Medium Severity
    Show

  • SRG-APP-000516-DNS-000500

    Group
    Show

  • SRG-APP-000451-DNS-000069

    Group
    Show

  • SRG-APP-000474-DNS-000073

    Group
    Show

  • The DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.

    Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data ...
    Rule Medium Severity
    Show

  • SRG-APP-000514-DNS-000075

    Group
    Show

  • The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.

    Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards ...
    Rule High Severity
    Show

  • SRG-APP-000516-DNS-000078

    Group
    Show

  • The Zone Signing Key (ZSK) rollover interval must be configured to less than two months.

    An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature ...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules