The Infoblox DNS service member implementation must follow procedures to promote a secondary DNS service member to the role of primary DNS service member in the event the current primary DNS service member permanently loses functionality.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-233896	SRG-APP-000451-DNS-000069	IDNS-8X-400038	SV-233896r1082677_rule	2025-03-11	1

Description
Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel). If a component such as DNSSEC signing capabilities were to fail, the DNS server must shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly in this state.

Description

Failing to an unsecure condition negatively impacts application security and can lead to system compromise. Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel). If a component such as DNSSEC signing capabilities were to fail, the DNS server must shut itself down to prevent continued execution without the necessary security components in place. Transactions such as zone transfers would not be able to work correctly in this state.

ℹ️ Check
Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS service member configuration to validate external DNS service members are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". 4. Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

ℹ️ Check

Validation of this configuration item requires review of the network architecture and security configuration in addition to DNS service member configuration to validate external DNS service members are not accessible from the internal network when a split DNS configuration is implemented. 1. Navigate to Data Management >> DNS >> Members tab. 2. Review the network configuration and access control of each Infoblox member that has the DNS service running. 3. Select each grid member and click "Edit". 4. Review the "Queries" tab to verify that both queries and recursion options are enabled and allowed only from the respective client networks. If a split DNS configuration is not used, this is not a finding. If there is no access control configured or access control does not restrict queries and recursion to the respective client network, this is a finding.

✔️ Fix
1. Refer to the Infoblox NIOS Administrator Guide, Chapters "Deploying a Grid", and "Configuring DNS Zones", section "Assigning Zone Authority to DNS service members", if necessary. 2. Configure a Grid Manager Candidate or define a local policy to promote a secondary DNS service member.