Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers.

An XCCDF Rule

Description

<VulnDiscussion>DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-214174r612370_rule
Severity: Medium
References: CCI-001184
Updated: about 1 year ago

Navigate to Data Management >> DNS >> Zones tab.

Select a zone and click "Edit". 
Click on "Zone Transfers" tab, and click "Override" for the "Allow Zone Transfers to" section. 
Use the radio button to select "Set of ACEs" and the "Add" dropdown to configure a TSIG key. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration. 
When complete, click "Save & Close" to save the changes and exit the "Properties" screen.
Perform a service restart if necessary.

Verify zone transfers are operational after configuration of TSIG.

Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers.

Description

Remediation - Manual Procedure