The Infoblox DNS service member implementation must maintain the integrity of information during reception.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-233926	SRG-APP-000442-DNS-000067	IDNS-8X-700021	SV-233926r1082744_rule	2025-03-11	1

Description
Information can be unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Confidentiality is not an objective of DNS, but integrity is. DNS is responsible for maintaining the integrity of DNS information while it is being received.

Description

Information can be unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Confidentiality is not an objective of DNS, but integrity is. DNS is responsible for maintaining the integrity of DNS information while it is being received.

ℹ️ Check
Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Zones. 2. Review all external-facing authoritative zones. Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the Zones tab. Verify that external authoritative zones are DNSSEC signed. If DNSSEC is not used for authoritative DNS this is a finding.

ℹ️ Check

Note: For Infoblox DNS systems on a classified network, this requirement is Not Applicable. 1. Navigate to Data Management >> DNS >> Zones. 2. Review all external-facing authoritative zones. Note: To add "Signed" column, select an existing column >> down arrow >> Columns >> Edit Columns. Set the "Signed" check box to "Visible" and select "Apply". DNSSEC signing status will be displayed in the Zones tab. Verify that external authoritative zones are DNSSEC signed. If DNSSEC is not used for authoritative DNS this is a finding.

✔️ Fix
Note: Ensure DNSSEC is configured on all External-facing zones to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Toggle Advanced Mode and select the "DNSSEC" tab. 3. Enable DNSSEC validation by selecting the check box. 4. Configure the Trust Anchors. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.

✔️ Fix

Note: Ensure DNSSEC is configured on all External-facing zones to meet all other STIG requirements prior to signing a zone to avoid signing with an unapproved configuration. 1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Toggle Advanced Mode and select the "DNSSEC" tab. 3. Enable DNSSEC validation by selecting the check box. 4. Configure the Trust Anchors. 5. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 6. Perform a service restart if necessary.