Recursion must be disabled on Infoblox DNS service members that are configured as External Authoritative DNS service members.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-233860	SRG-APP-000383-DNS-000047	IDNS-8X-400002	SV-233860r1082609_rule	2025-03-11	1

Description
External Authoritative DNS service members should only be providing External Authoritative and no other "DNS Service". Internal Authoritative servers commonly require that recursion is enabled in order to resolve DNS that is located on a different server (whether it's via forwarding, the Internet, STUB'ing, etc.) A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service), or, worse, hosts that masquerade as legitimate to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains must be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running split DNS: internal name server and external name server. The use of DNSSEC ensures the answer received when querying for name resolution actually comes from a trusted name server. Since DNSSEC is still far from being globally deployed external to DOD, and many resolvers either have not been updated or do not support DNSSEC, maintaining cached zone data separate from authoritative zone data mitigates the gap until all DNS data is validated with DNSSEC. Since DNS forwarding of queries can be accomplished in some DNS applications without caching locally, DNS forwarding is the method to be use when providing external DNS resolution to internal clients.

Description

External Authoritative DNS service members should *only* be providing External Authoritative and no other "DNS Service". Internal Authoritative servers commonly require that recursion is enabled in order to resolve DNS that is located on a different server (whether it's via forwarding, the Internet, STUB'ing, etc.) A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service), or, worse, hosts that masquerade as legitimate to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains must be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running split DNS: internal name server and external name server. The use of DNSSEC ensures the answer received when querying for name resolution actually comes from a trusted name server. Since DNSSEC is still far from being globally deployed external to DOD, and many resolvers either have not been updated or do not support DNSSEC, maintaining cached zone data separate from authoritative zone data mitigates the gap until all DNS data is validated with DNSSEC. Since DNS forwarding of queries can be accomplished in some DNS applications without caching locally, DNS forwarding is the method to be use when providing external DNS resolution to internal clients.

ℹ️ Check
In a split DNS configuration with separate External and Internal DNS servers, verify on the External DNS member: 1. Navigate to Data Management >> DNS >> Members tab. 2. Select each grid member configured in an authoritative role and click "Edit". 3. Review the "Queries" tab. 4. Verify that "Allow Recursion" is not enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. If recursion is not disabled on an External authoritative DNS service member, this is a finding. If split DNS configuration is used and recursion is enabled for External Authoritative DNS, this is a finding.

ℹ️ Check

In a split DNS configuration with separate External and Internal DNS servers, verify on the External DNS member: 1. Navigate to Data Management >> DNS >> Members tab. 2. Select each grid member configured in an authoritative role and click "Edit". 3. Review the "Queries" tab. 4. Verify that "Allow Recursion" is not enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. If recursion is not disabled on an External authoritative DNS service member, this is a finding. If split DNS configuration is used and recursion is enabled for External Authoritative DNS, this is a finding.

✔️ Fix
In a split DNS configuration with separate External and Internal DNS servers, verify on the External DNS member: 1. Navigate to Data Management >> DNS >> Members tab. 2. Select each grid member configured in an authoritative role and click "Edit". 3. Review the "Queries" tab. 4. Verify that "Allow Recursion" is not enabled. 5. When complete, click "Cancel" to exit the "Properties" screen.