The Infoblox DNS server must authenticate to any external (non-Grid) DNS servers before responding to a server-to-server transaction.
An XCCDF Rule
Description
<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific preauthorized devices can access the system. This requirement applies to server-to-server (zone transfer) transactions only and is provided by TSIG, which enforces mutual server authentication using a key that is unique to each server pair (TSIG).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-233900r621666_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Note that TSIG relies on both key and time synchronization. TSIG will fail if the local clocks on both names are not synchronized.
1. Navigate to the Data Management >> DNS >> Zones tab.
2. Select a zone and click "Edit". Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section.
3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key.
4. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration.