Title

The Infoblox DNS service member implementation must follow procedures to promote a secondary DNS service member to the role of primary DNS service member in the event the current primary DNS service member permanently loses functionality. (Cat II impact)

Discussion

Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel). If a component such as DNSSEC signing capabilities were to fail, the DNS server must shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly in this state.

Check Content

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS service member configuration to validate external DNS service members are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". 4. Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

Fix Text

1. Refer to the Infoblox NIOS Administrator Guide, Chapters "Deploying a Grid", and "Configuring DNS Zones", section "Assigning Zone Authority to DNS service members", if necessary. 2. Configure a Grid Manager Candidate or define a local policy to promote a secondary DNS service member.

Additional Identifiers

Rule ID: SV-233896r1082677_rule

Vulnerability ID: V-233896

Group Title: SRG-APP-000451-DNS-000069

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.