The Infoblox system must restrict the ability of individuals to use the DNS service member to launch denial-of-Service (DoS) attacks against other information systems.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-233921	SRG-APP-000246-DNS-000035	IDNS-8X-700016	SV-233921r1082733_rule	2025-03-11	1

Description
The Infoblox system must restrict the ability of individuals to use the DNS server to launch DoS attacks against other information systems.

ℹ️ Check
Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Primary consideration for this check must be given to client restrictions such as disabling open recursive servers, using Access Control Lists (ACLs) to limit client communication, and placement in secure network architecture to prevent address spoofing. 1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. For external authoritative DNS service members: a. Select the "Queries" tab. b. Verify the "Allow Recursion" check box is not enabled. 3. For internal DNS service members: a. On the "Updates" tab, verify ACL or Access Control Entry (ACE) for "Allow updates from" is enabled. b. On the "Queries" tab, verify that either an ACL or ACE for "Allow queries from" is enabled. 4. When complete, click "Cancel" to save the changes and exit the "Properties" screen. If there is an open recursive DNS service on external DNS service members, or unrestricted access to internal DNS service members, this is a finding.

ℹ️ Check

Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Primary consideration for this check must be given to client restrictions such as disabling open recursive servers, using Access Control Lists (ACLs) to limit client communication, and placement in secure network architecture to prevent address spoofing. 1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. For external authoritative DNS service members: a. Select the "Queries" tab. b. Verify the "Allow Recursion" check box is not enabled. 3. For internal DNS service members: a. On the "Updates" tab, verify ACL or Access Control Entry (ACE) for "Allow updates from" is enabled. b. On the "Queries" tab, verify that either an ACL or ACE for "Allow queries from" is enabled. 4. When complete, click "Cancel" to save the changes and exit the "Properties" screen. If there is an open recursive DNS service on external DNS service members, or unrestricted access to internal DNS service members, this is a finding.

✔️ Fix
1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Select the "Queries" tab. 3. For external authoritative DNS service members, disable "Allow Recursion" by clearing the check box. 4. For internal DNS service members, on the "Updates" tab, configure either an ACL or ACE for "Allow updates from". 5. On the "Queries" tab, configure either an ACL or ACE for "Allow queries from". 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.

✔️ Fix

1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Select the "Queries" tab. 3. For external authoritative DNS service members, disable "Allow Recursion" by clearing the check box. 4. For internal DNS service members, on the "Updates" tab, configure either an ACL or ACE for "Allow updates from". 5. On the "Queries" tab, configure either an ACL or ACE for "Allow queries from". 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.