Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers when communicating with external DNS servers.
An XCCDF Rule
Description
<VulnDiscussion>DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. Communication sessions between different DNS systems should employ protections such as DNSSEC or TSIG to validate the integrity of data being transmitted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-233917r621666_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
1. Navigate to Data Management >> DNS >> Zones tab. Select a zone and click "Edit".
2. Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section.
3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key.
4. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration and time synchronization.
5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
6. Perform a service restart if necessary. 7. Verify zone transfers are operational after configuration of TSIG.