The Infoblox DNS server must send outgoing DNS messages from a random port.
An XCCDF Rule
Description
<VulnDiscussion>OS configuration practices as issued by the US Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD), based on identified vulnerabilities that pertain to the application profile into which the name server software fits, should be always followed. In particular, hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts should be 53/udp and 53/tcp. Outgoing DNS messages should be sent from a random port to minimize the risk of an attacker guessing the outgoing message port and sending forged replies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-233878r621666_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
1. Navigate to Data Management >> DNS >> Grid DNS Properties, or System DNS properties on a stand-alone system.
2. Toggle Advanced Mode and select General >> Advanced tab. Disable "Set static source UDP port for queries (not recommended)" and "Set static source UDP port for notify messages".
3. Navigate to Data Management >> DNS >> Members tab.
4. Review each Infoblox member with the DNS service enabled.
5. Select each server, click "Edit", toggle Advanced Mode, and select General >> Advanced tab.
6. Locate the section labeled "Source port settings" and click "Override" to use the Grid default values that disable static source ports.