Rule ID
SV-233921r1082733_rule
Version
V1R2
CCIs
The Infoblox system must restrict the ability of individuals to use the DNS server to launch DoS attacks against other information systems.
Infoblox systems have a number of options that can be configured to reduce the ability to be exploited in a DoS attack. Primary consideration for this check must be given to client restrictions such as disabling open recursive servers, using Access Control Lists (ACLs) to limit client communication, and placement in secure network architecture to prevent address spoofing. 1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. For external authoritative DNS service members: a. Select the "Queries" tab. b. Verify the "Allow Recursion" check box is not enabled. 3. For internal DNS service members: a. On the "Updates" tab, verify ACL or Access Control Entry (ACE) for "Allow updates from" is enabled. b. On the "Queries" tab, verify that either an ACL or ACE for "Allow queries from" is enabled. 4. When complete, click "Cancel" to save the changes and exit the "Properties" screen. If there is an open recursive DNS service on external DNS service members, or unrestricted access to internal DNS service members, this is a finding.
1. Navigate to Data Management >> DNS >> Grid DNS Properties. 2. Select the "Queries" tab. 3. For external authoritative DNS service members, disable "Allow Recursion" by clearing the check box. 4. For internal DNS service members, on the "Updates" tab, configure either an ACL or ACE for "Allow updates from". 5. On the "Queries" tab, configure either an ACL or ACE for "Allow queries from". 6. When complete, click "Save & Close" to save the changes and exit the "Properties" screen. 7. Perform a service restart if necessary.