STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Infoblox 7.x DNS Security Technical Implementation Guide

V-214171

CAT II (Medium)

The Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.

Rule ID

SV-214171r961107_rule

STIG

Infoblox 7.x DNS Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-001663

Discussion

A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application-specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy. Within the context of DNS, this is applicable in terms of controlling the flow of DNS information between systems, such as DNS zone transfers.

Check Content

Note: For Infoblox DNS systems on a Classified network, this requirement is Not Applicable.

Review the Infoblox DNS configuration to verify only approved communications are allowed. Usage of Access Control Lists to control clients, DNS zone transfer configuration to systems external to the Infoblox grid, and grid member configuration can be used to control communications as desired.

Infoblox systems within the same Grid utilize internal database transfer and do not perform zone transfers.

If all systems are within the same Infoblox Grid, this is not a finding.

Fix Text

Zone transfers can be restricted at the Grid, Member, and Zone level. Configuration is inherited and can be overridden if necessary to construct the appropriate access control. 

Grid level configuration: Navigate to Data Management >> DNS >> Zones tab.
Click "Grid DNS Properties", and toggle Advanced Mode.

Member level configuration: Navigate to Data Management >> DNS >> Members/Servers tab.
Click "Edit" to review each member with the DNS service status of "Running". 

Zone level Configuration: Navigate to Data Management >> DNS >> Zones tab.
Select the "Zone Transfers" tab.
Click "Override" to set permissions for "Allow zone transfers to".

Configure IPv4, IPv6 networks, addresses, TSIG keys to restrict zone transfers.