Title

Infoblox DNS servers must protect the authenticity of communications sessions for dynamic updates. (Cat II impact)

Discussion

DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. Communication sessions between different DNS clients and servers should employ protections such as DNSSEC or TSIG to validate the integrity of data being transmitted.

Check Content

Infoblox Systems can be configured in two ways to limit DDNS client updates. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Verify that "Enable GSS-TSIG authentication of clients" is enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Verify that either a Named ACL or set of Access Control Entries (ACEs) is used to limit client DDNS updates. 6. When complete, click "Cancel" to exit the "Properties" screen. If clients that support GSS-TSIG do not have "Enable GSS-TSIG authentication of clients" set or a named ACL or set of ACEs for clients that do not support GSS-TSIG, this is a finding.

Fix Text

Infoblox Systems can be configured in two ways to limit DDNS client updates. Refer to the Administrator Guide for detailed instructions. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Configure the option "Enable GSS-TSIG authentication of clients". 5. Upload the required keys. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Select an existing Named ACL or configure a new set of ACEs to limit client DDNS. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.

Additional Identifiers

Rule ID: SV-233918r621666_rule

Vulnerability ID: V-233918

Group Title: SRG-APP-000219-DNS-000029

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.