Infoblox 7.x DNS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Infoblox systems which are configured to perform zone transfers to non-Grid name servers must utilize transaction signatures (TSIG).
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. This applies to server-to-server (zone transfer) transactions only and is pr...Rule Medium Severity -
Only the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.
Infoblox systems when deployed in a Grid configuration store DNSSEC keys on the designated Grid Master system. As the central point of administration, the Grid Master should be configured for admin...Rule Medium Severity -
SRG-APP-000176-DNS-000096
Group -
Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.
Infoblox systems when deployed in a Grid configuration store DNSSEC keys on the designated Grid Master system. As the central point of administration, the Grid Master should be configured for admin...Rule Medium Severity -
SRG-APP-000185-DNS-000021
Group -
SRG-APP-000213-DNS-000024
Group -
The Infoblox system must be configured to provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. The security objecti...Rule Medium Severity -
SRG-APP-000214-DNS-000025
Group -
SRG-APP-000214-DNS-000079
Group -
The Key Signing Key (KSK) rollover interval must be configured to no less than one year.
The DNS root key is a cryptographic public-private key pair used for DNSSEC signing of the DNS root zone records. The root zone KSK serves as the anchor for the “chain of trust” that enables DNS re...Rule Medium Severity -
SRG-APP-000215-DNS-000003
Group -
SRG-APP-000215-DNS-000026
Group -
A DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associat...Rule Medium Severity -
SRG-APP-000219-DNS-000028
Group -
SRG-APP-000421-DNS-000054
Group -
SRG-APP-000219-DNS-000029
Group -
Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protect...Rule Medium Severity -
SRG-APP-000219-DNS-000030
Group -
Infoblox DNS servers must be configured to protect the authenticity of communications sessions for queries.
The underlying feature in the major threat associated with DNS query/response (i.e., forged response or response failure) is the integrity of DNS data returned in the response. An integral part of ...Rule Medium Severity -
SRG-APP-000226-DNS-000032
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.