The Infoblox DNS service member must request data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-233913	SRG-APP-000423-DNS-000056	IDNS-8X-700008	SV-233913r1082717_rule	2025-03-11	1

Description
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. DNSSEC is intended for third-party authenticity determination. Attempting to utilize DNSSEC internally was never an intended use case as it would require every consumer to have a third-party validating resolver installed along with a mechanism for periodic trust anchor distribution/update. It is recommended for external zones only. Satisfies: SRG-APP-000426-DNS-000059, SRG-APP-000427-DNS-000060, SRG-APP-000428-DNS-000061, SRG-APP-000429-DNS-000062

Description

If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed that would result in query failure or denial of service. Data integrity verification must be performed to thwart these types of attacks. Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. DNSSEC is intended for third-party authenticity determination. Attempting to utilize DNSSEC internally was never an intended use case as it would require every consumer to have a third-party validating resolver installed along with a mechanism for periodic trust anchor distribution/update. It is recommended for external zones only. Satisfies: SRG-APP-000426-DNS-000059, SRG-APP-000427-DNS-000060, SRG-APP-000428-DNS-000061, SRG-APP-000429-DNS-000062

ℹ️ Check
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

ℹ️ Check

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Validate that DNSSEC validation is enabled by navigating to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Verify that both "Enable DNSSEC" and "Enable DNSSEC validation" are enabled. 4. When complete, click "Cancel" to exit the "Properties" screen. If both "Enable DNSSEC" and "Enable DNSSEC validation" are not enabled, this is a finding.

✔️ Fix
For Internal Recursive DNS service members resolving internal queries to external DNS sources: 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.

✔️ Fix

For Internal Recursive DNS service members resolving internal queries to external DNS sources: 1. Navigate to Data Management >> DNS >> Grid DNS properties. 2. Toggle Advanced Mode and click on the "DNSSEC" tab. 3. Enable both "Enable DNSSEC" and "Enable DNSSEC validation". 4. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 5. Perform a service restart if necessary.