Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.

An XCCDF Rule

Description

<VulnDiscussion>DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-214175r612370_rule
Severity: Medium
References: CCI-001184
Updated: about 1 year ago

Infoblox Systems can be configured in two ways to limit DDNS client updates. 

For clients that support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled. 
Select each server, click "Edit", toggle Advanced Mode and select GSS-TSIG.Configure the option "Enable GSS-TSIG authentication of clients".
Upload the required keys. Refer to the Administration Guide for detailed instructions.

For clients that do not support GSS-TSIG, navigate to Data Management >> DNS >> Members/Servers tab.

Review each server with the DNS service enabled.
Select each server, click "Edit".
Select the "Updates" tab.
Select either an existing Named ACL or configure a new Set of ACEs to limit client DDNS.
When complete, click "Save & Close" to save the changes and exit the "Properties" screen.

Perform a service restart if necessary.

Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.

Description

Remediation - Manual Procedure