Check: IDNS-8X-400002
Infoblox 8.x DNS STIG:
IDNS-8X-400002
(in version v1 r1)
Title
Recursion must be disabled on Infoblox DNS servers that are configured as authoritative name servers. (Cat II impact)
Discussion
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to non-existent hosts (which constitutes a denial of service), or, worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains should be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation. The use of DNSSEC ensures that the answer received when querying for name resolution actually comes from a trusted name server. Since DNSSEC is still far from being globally deployed external to DoD, and many resolvers either have not been updated or do not support DNSSEC, maintaining cached zone data separate from authoritative zone data mitigates the gap until all DNS data is validated with DNSSEC. Since DNS forwarding of queries can be accomplished in some DNS applications without caching locally, DNS forwarding is the method to be used when providing external DNS resolution to internal clients.
Check Content
1. Navigate to Data Management >> DNS >> Members tab. 2. Select each grid member configured in an authoritative role and click "Edit". 3. Review the "Queries" tab. 4. Verify that "Allow Recursion" is not enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. If recursion is not disabled on an authoritative name server, this is a finding.
Fix Text
1. Navigate to Data Management >> DNS >> Members tab. 2. Select the "Queries" tab and disable recursion by clearing the "Enable Recursion" check box. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary.
Additional Identifiers
Rule ID: SV-233860r621666_rule
Vulnerability ID: V-233860
Group Title: SRG-APP-000383-DNS-000047
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |