Infoblox 7.x DNS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516-DNS-000101
Group -
SRG-APP-000516-DNS-000102
Group -
SRG-APP-000142-DNS-000014
Group -
SRG-APP-000176-DNS-000094
Group -
The DHCP service must not be enabled on an external authoritative name server.
The site DNS and DHCP architecture must be reviewed to ensure only the appropriate services are enabled on each Grid Member. An external authoritative name server must be configured to allow only a...Rule Medium Severity -
SRG-APP-000516-DNS-000500
Group -
SRG-APP-000001-DNS-000001
Group -
Infoblox systems which perform zone transfers to non-Infoblox Grid DNS servers must be configured to limit the number of concurrent sessions for zone transfers.
Limiting the number of concurrent sessions reduces the risk of Denial of Service (DoS) to the DNS implementation. Infoblox DNS servers configured in a Grid do not utilize zone transfers; data is r...Rule Low Severity -
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
Authoritative name servers (especially primary name servers) should be configured with an allow-transfer access control substatement designating the list of hosts from which zone transfer requests ...Rule Medium Severity -
Infoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
The Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to...Rule Medium Severity -
A DNS server implementation must provide the means to indicate the security status of child zones.
If name server replies are invalid or cannot be validated, many networking functions and communication would be adversely affected. With DNS, the presence of Delegation Signer (DS) records associat...Rule Medium Severity -
The Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, ...Rule Medium Severity -
Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers.
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity prote...Rule Medium Severity -
In the event of a system failure, The Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
The Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
A DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. In the ca...Rule Medium Severity -
The Infoblox system must be configured to activate a notification to the system administrator when a component failure is detected.
Predictable failure prevention requires organizational planning to address system failure issues. If components key to maintaining systems security fail to function, the system could continue opera...Rule Medium Severity -
The Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptogra...Rule Medium Severity -
Recursion must be disabled on Infoblox DNS servers which are configured as authoritative name servers.
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers tha...Rule Medium Severity -
A DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries.
The major threat associated with DNS forged responses or failures is the integrity of the DNS data returned in the response. The principle of DNSSEC is to mitigate this threat by providing data ori...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.