I - Mission Critical Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000001-DNS-000001
<GroupDescription></GroupDescription>Group -
Infoblox systems that perform zone transfers to non-Grid DNS servers must limit the number of concurrent sessions for zone transfers.
<VulnDiscussion>Limiting the number of concurrent sessions reduces the risk of denial-of-service (DoS) to the DNS implementation. Infoblox...Rule Medium Severity -
SRG-APP-000001-DNS-000115
<GroupDescription></GroupDescription>Group -
The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.
<VulnDiscussion>Limiting the number of concurrent sessions reduces the risk of denial-of-service (DoS) to the DNS implementation. Name serv...Rule Medium Severity -
SRG-APP-000333-DNS-000107
<GroupDescription></GroupDescription>Group -
The Infoblox DNS server must not reveal sensitive information to an attacker. This includes HINFO, RP, LOC resource, and sensitive TXT record data.
<VulnDiscussion>There are several types of resource records (RRs) in the DNS that are meant to convey information to humans and applications ...Rule Medium Severity -
SRG-APP-000125-DNS-000012
<GroupDescription></GroupDescription>Group -
The Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.
<VulnDiscussion>Protection of log data includes ensuring that log data is not accidentally lost or deleted. Backing up audit records to a dif...Rule Medium Severity -
SRG-APP-000218-DNS-000027
<GroupDescription></GroupDescription>Group -
All authoritative name servers for a zone must be geographically disbursed.
<VulnDiscussion>In addition to network-based dispersion, authoritative name servers should be dispersed geographically as well. In other word...Rule Medium Severity -
SRG-APP-000383-DNS-000047
<GroupDescription></GroupDescription>Group -
Recursion must be disabled on Infoblox DNS servers that are configured as authoritative name servers.
<VulnDiscussion>A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the ...Rule Medium Severity -
SRG-APP-000516-DNS-000078
<GroupDescription></GroupDescription>Group -
The validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
<VulnDiscussion>The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs...Rule Medium Severity -
SRG-APP-000516-DNS-000084
<GroupDescription></GroupDescription>Group -
NSEC3 must be used for all DNSSEC signed zones.
<VulnDiscussion>To ensure that resource records (RRs) associated with a query are really missing in a zone file and have not been removed in ...Rule Medium Severity -
SRG-APP-000516-DNS-000085
<GroupDescription></GroupDescription>Group -
The Infoblox DNS server must be configured so that each name server (NS) record in a zone file points to an active name server authoritative for the domain specified in that record.
<VulnDiscussion>Poorly constructed NS records pose a security risk because they create conditions under which an adversary might be able to p...Rule Medium Severity -
SRG-APP-000516-DNS-000087
<GroupDescription></GroupDescription>Group -
All authoritative name servers for a zone must be located on different network segments.
<VulnDiscussion>Most enterprises have an authoritative primary server and a host of authoritative secondary name servers. It is essential tha...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.