STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Infoblox 8.x DNS Security Technical Implementation Guide

V-233876

CAT II (Medium)

The IP address for hidden master authoritative DNS service members must not appear in the DNS service members set in the zone database.

Rule ID

SV-233876r1082648_rule

STIG

Infoblox 8.x DNS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366

Discussion

A hidden primary authoritative server is an authoritative DNS server in which the IP address does not appear in the name server set for a zone. All of the name servers that do appear in the zone database as designated name servers get their zone data from the hidden primary via a zone transfer request. In effect, all visible name servers are actually secondary servers. This prevents potential attackers from targeting the primary name server because its IP address may not appear in the zone database.

Check Content

Verify that the Infoblox Grid Master is not configured to service DNS requests from clients.

1. Navigate to Data Management >> DNS >> Zones. 
2. Review each zone by selecting the zone, clicking "Edit", and selecting the "DNS service members" tab.  

If the Grid Master is a listed DNS service member and not marked "Stealth", this is a finding.

Fix Text

For each zone that is not in compliance:

1. Navigate to Data Management >> DNS >> Zones.
2. Reconfigure the "Name Servers" tab and modify the Grid Master by selecting "Stealth". 
3. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 
4. Perform a service restart if necessary.