Infoblox DNS service members must protect the authenticity of communications sessions for dynamic updates.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-233918	SRG-APP-000219-DNS-000029	IDNS-8X-700013	SV-233918r1082728_rule	2025-03-11	1

Description
DNS is a fundamental network service prone to various attacks, such as cache poisoning and man-in-the middle attacks. Communication sessions between different DNS clients and servers should employ protections such as DNSSEC or TSIG to validate the integrity of data being transmitted.

ℹ️ Check
Infoblox Systems can be configured in two ways to limit DDNS client updates. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Verify that "Enable GSS-TSIG authentication of clients" is enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Verify that either a Named ACL or set of Access Control Entries (ACEs) is used to limit client DDNS updates. 6. When complete, click "Cancel" to exit the "Properties" screen. If clients that support GSS-TSIG do not have "Enable GSS-TSIG authentication of clients" set or a named ACL or set of ACEs for clients that do not support GSS-TSIG, this is a finding.

ℹ️ Check

Infoblox Systems can be configured in two ways to limit DDNS client updates. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Verify that "Enable GSS-TSIG authentication of clients" is enabled. 5. When complete, click "Cancel" to exit the "Properties" screen. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Verify that either a Named ACL or set of Access Control Entries (ACEs) is used to limit client DDNS updates. 6. When complete, click "Cancel" to exit the "Properties" screen. If clients that support GSS-TSIG do not have "Enable GSS-TSIG authentication of clients" set or a named ACL or set of ACEs for clients that do not support GSS-TSIG, this is a finding.

✔️ Fix
Infoblox Systems can be configured in two ways to limit DDNS client updates. Refer to the Administrator Guide for detailed instructions. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Configure the option "Enable GSS-TSIG authentication of clients". 5. Upload the required keys. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Select an existing Named ACL or configure a new set of ACEs to limit client DDNS. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.

✔️ Fix

Infoblox Systems can be configured in two ways to limit DDNS client updates. Refer to the Administrator Guide for detailed instructions. For clients that support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server, click "Edit", toggle Advanced Mode, and select GSS-TSIG. 4. Configure the option "Enable GSS-TSIG authentication of clients". 5. Upload the required keys. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary. For clients that do not support GSS-TSIG: 1. Navigate to Data Management >> DNS >> Members tab. 2. Review each server with the DNS service enabled. 3. Select each server and click "Edit". 4. Select the "Updates" tab. 5. Select an existing Named ACL or configure a new set of ACEs to limit client DDNS. 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.