An error occurred:

Check: IDNS-7X-000410

Infoblox 7.x DNS STIG: IDNS-7X-000410 (in versions v2 r1 through v1 r4)

Title

The Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer). (Cat II impact)

Discussion

Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically. DNSSEC and TSIG/SIG(0) technologies are not effective unless the digital signatures they generate are validated to ensure that the information has not been tampered with and that the producer's identity is legitimate.

Check Content

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable. Navigate to Data Management >> DNS >> Zones tab. Review each zone by clicking "Edit" and inspecting the "Name Servers" tab. If the all entries in the "Type" column are configured as "Grid", this check is not applicable. Verify that each zone which contains non-Grid name servers is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). If there is a non-Grid system which utilizes zone transfers but does not have a TSIG key, this is a finding. When complete, click "Cancel" to exit the "Properties" screen.

Fix Text

Navigate to Data Management >> DNS >> Zones tab. Select a zone and click "Edit". Click on "Zone Transfers" tab, and click "Override" for the "Allow Zone Transfers to" section. Use the radio button to select "Set of ACEs" and the "Add" dropdown to configure a TSIG key. It is important to verify that both the Infoblox and other DNS server have the identical TSIG configuration. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. Perform a service restart if necessary. Verify zone transfers are operational after configuration of TSIG.

Additional Identifiers

Rule ID: SV-214183r612370_rule

Vulnerability ID: V-214183

Group Title: SRG-APP-000349-DNS-000043

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.
CCI-001904

The information system validates the binding of the information producer identity to the information at an organization-defined frequency.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-10 (2)

Validate Binding Of Information Producer Identity
CM-6

Configuration Settings