In a split DNS configuration, where separate DNS service members are used between the external and internal networks, the external DNS service member must be configured to not be reachable from inside resolvers.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-233869	SRG-APP-000516-DNS-000092	IDNS-8X-400011	SV-233869r1082632_rule	2025-03-11	1

Description
Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve resource records (RRs) pertaining to hosts with public services (web servers that serve external web pages or provide B2C services, mail servers, etc.) The other set, called internal name servers, is to be located within the firewall and should be configured so it is not reachable from outside and hence provides naming services exclusively to internal clients.

Description

Instead of having the same set of authoritative name servers serve different types of clients, an enterprise could have two different sets of authoritative name servers. One set, called external name servers, can be located within a DMZ; these would be the only name servers that are accessible to external clients and would serve resource records (RRs) pertaining to hosts with public services (web servers that serve external web pages or provide B2C services, mail servers, etc.) The other set, called internal name servers, is to be located within the firewall and should be configured so it is not reachable from outside and hence provides naming services exclusively to internal clients.

ℹ️ Check
Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS service member configuration to verify that external DNS service members are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

ℹ️ Check

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS service member configuration to verify that external DNS service members are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

✔️ Fix
Navigate to Data Management >> DNS >> Members tab. For External DNS resolvers in a Split DNS configuration: 1. Select the Grid member(s) identified as running the External DNS service and click "Edit". 2. Under the Queries tab, enable and configure either an Access Control List (ACL) or set of Access Control Entries (ACE) allowing external clients and denying internal clients. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary. ACLs for External members should end with "Any" allow at the end after denying internal networks.

✔️ Fix

Navigate to Data Management >> DNS >> Members tab. For External DNS resolvers in a Split DNS configuration: 1. Select the Grid member(s) identified as running the External DNS service and click "Edit". 2. Under the Queries tab, enable and configure either an Access Control List (ACL) or set of Access Control Entries (ACE) allowing external clients and denying internal clients. 3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 4. Perform a service restart if necessary. ACLs for External members should end with "Any" allow at the end after denying internal networks.