Infoblox DNS service members must protect the authenticity of communications sessions for zone transfers when communicating with external DNS service members (i.e., DNS systems outside the Infoblox grid).
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-233917 | SRG-APP-000219-DNS-000028 | IDNS-8X-700012 | SV-233917r1082725_rule | 2025-03-11 | 1 |
| Description |
|---|
| DNS is a fundamental network service prone to various attacks, such as cache poisoning and man-in-the middle attacks. Communication sessions between different DNS systems must employ protections such as DNSSEC or TSIG to validate the integrity of data being transmitted. |
| ℹ️ Check |
|---|
| 1. Navigate to Data Management >> DNS >> Zones tab. 2. Review each zone by clicking "Edit" and inspecting the "DNS service members" tab. 3. If all DNS service member entries in the "Type" column are configured as "Grid", this check is Not Applicable. 4. Verify that each zone containing non-Grid DNS service members is further verified by inspection of the "Zone Transfers" tab and configuration of TSIG Access Control Entry (ACE). 5. When complete, click "Cancel" to exit the "Properties" screen. If there is a non-Grid system that uses zone transfers but does not have a TSIG key, this is a finding. |
| ✔️ Fix |
|---|
| 1. Navigate to Data Management >> DNS >> Zones tab. Select a zone and click "Edit". 2. Click on the "Zone Transfers" tab and click "Override" for the "Allow Zone Transfers to" section. 3. Use the radio button to select "Set of ACEs" and the "Add" drop-down to configure a TSIG key. 4. Verify that both the Infoblox and non-Grid DNS service member have the identical TSIG configuration and time synchronization. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary. 7. Verify zone transfers are operational after configuration of TSIG. |