An error occurred:

Check: IDNS-8X-700016

Infoblox 8.x DNS STIG: IDNS-8X-700016 (in version v1 r1)

Title

The Infoblox system must restrict the ability of individuals to use the DNS server to launch denial-of-Service (DoS) attacks against other information systems. (Cat II impact)

Discussion

The Infoblox system must restrict the ability of individuals to use the DNS server to launch DoS attacks against other information systems.

Check Content

Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Primary consideration for this check should be given to client restrictions such as disabling open recursive servers, using Access Control Lists (ACLs) to limit client communication, and placement in secure network architecture to prevent address spoofing. 1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. For external authoritative name servers: a. Select the "Queries" tab. b. Verify the "Allow Recursion" check box is not enabled. 3. For internal name servers: a. On the "Updates" tab, verify that an ACL or Access Control Entry (ACE) for "Allow updates from" is enabled. b. On the "Queries" tab, verify that either an ACL or ACE for "Allow queries from" is enabled. 4. When complete, click "Cancel" to save the changes and exit the "Properties" screen. If there is an open recursive DNS service on external name servers, or unrestricted access to internal name servers, this is a finding.

Fix Text

1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Select the "Queries" tab. 3. For external authoritative name servers, disable "Allow Recursion" by clearing the check box. 4. For internal name servers, on the "Updates" tab, configure either an ACL or ACE for "Allow updates from". 5. On the "Queries" tab, configure either an ACL or ACE for "Allow queries from". 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.

Additional Identifiers

Rule ID: SV-233921r621666_rule

Vulnerability ID: V-233921

Group Title: SRG-APP-000246-DNS-000035

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001094

The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5 (1)

Restrict Internal Users