V-233877

Discussion

OS configuration practices as issued by the US Computer Emergency Response Team (US CERT) and the National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD), based on identified vulnerabilities that pertain to the application profile into which the name server software fits, should always be followed. In particular, hosts that run the name server software should not provide any other services and therefore should be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts should be 53/udp and 53/tcp. Outgoing DNS messages should be sent from a random port to minimize the risk of an attacker's guessing the outgoing message port and sending forged replies.

Check Content

By default, all services other than those required for management are disabled on Infoblox appliances. Review the Infoblox Grid for extra services turned on.

Note: Configuration of out-of-band (OOB) management can be enabled to separate DNS from management traffic if desired.  

1. Navigate to Grid >> Grid Manager >> Services tab. 
2. Click on each service that is running and review the Service Status of each member.  

Note: Depending on purchased options, Infoblox DNS members may be running DNS, and optionally services supporting DNS and security operations such as DNS Traffic Control, Threat Protection, Threat Analytics, and TAXII services. Use of these additional Infoblox services is not a finding.  

If an external authoritative server is running any unnecessary services such as file distribution services, this is a finding.