STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 1 hour ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Infoblox 7.x DNS Security Technical Implementation Guide

Version

V2R2

Release Date

Nov 19, 2025

SCAP Benchmark ID

Infoblox_7-x_DNS_STIG

Total Checks

67

Tags

other

CAT I: 4CAT II: 60CAT III: 3

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (67)

V-214159LOWInfoblox systems which perform zone transfers to non-Infoblox Grid DNS servers must be configured to limit the number of concurrent sessions for zone transfers.V-214160MEDIUMPrimary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.V-214161MEDIUMThe Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.V-214162MEDIUMThe Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.V-214163MEDIUMInfoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols.V-214164MEDIUMInfoblox systems which are configured to perform zone transfers to non-Grid name servers must utilize transaction signatures (TSIG).V-214165MEDIUMOnly the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.V-214166MEDIUMSignature generation using the KSK must be done off-line, using the KSK-private stored off-line.V-214167MEDIUMThe Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.V-214168MEDIUMThe Infoblox system must be configured to provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.V-214169MEDIUMA DNS server implementation must provide the means to indicate the security status of child zones.V-214170MEDIUMThe Key Signing Key (KSK) rollover interval must be configured to no less than one year.V-214171MEDIUMThe Infoblox system implementation must enforce approved authorizations for controlling the flow of information between DNS servers and between DNS servers and DNS clients based on DNSSEC policies.V-214172MEDIUMA DNS server implementation must provide the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).V-214174MEDIUMInfoblox DNS servers must protect the authenticity of communications sessions for zone transfers.V-214175MEDIUMInfoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.V-214176MEDIUMInfoblox DNS servers must be configured to protect the authenticity of communications sessions for queries.V-214177MEDIUMIn the event of a system failure, The Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.V-214178MEDIUMThe Infoblox system must be configured to restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.V-214179MEDIUMThe Infoblox system must be configured to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.V-214180MEDIUMThe Infoblox system must be configured to activate a notification to the system administrator when a component failure is detected.V-214181MEDIUMAn Infoblox DNS server must strongly bind the identity of the DNS server with the DNS information using DNSSEC.V-214182MEDIUMThe Infoblox system must be configured to provide the means for authorized individuals to determine the identity of the source of the DNS server-provided information.V-214183MEDIUMThe Infoblox system must be configured to validate the binding of the other DNS servers identity to the DNS information for a server-to-server transaction (e.g., zone transfer).V-214185MEDIUMRecursion must be disabled on Infoblox DNS servers which are configured as authoritative name servers.V-214186MEDIUMThe Infoblox system must authenticate the other DNS server before responding to a server-to-server transaction.V-214187MEDIUMThe DNS server implementation must authenticate another DNS server before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.V-214188MEDIUMA DNS server implementation must provide data origin artifacts for internal name/address resolution queries.V-214189MEDIUMA DNS server implementation must provide data integrity protection artifacts for internal name/address resolution queries.V-214190MEDIUMA DNS server implementation must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.V-214191MEDIUMA DNS server implementation must request data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.V-214192MEDIUMA DNS server implementation must request data integrity verification on the name/address resolution responses the system receives from authoritative sources.V-214193MEDIUMA DNS server implementation must perform data integrity verification on the name/address resolution responses the system receives from authoritative sources.V-214194MEDIUMA DNS server implementation must perform data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.V-214195MEDIUMThe Infoblox system must be configured to must protect the integrity of transmitted information.V-214196MEDIUMThe Infoblox system must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).V-214197MEDIUMThe DNS server implementation must maintain the integrity of information during preparation for transmission.V-214198MEDIUMThe DNS server implementation must maintain the integrity of information during reception.V-214199MEDIUMThe DNS server implementation must follow procedures to re-role a secondary name server as the master name server should the master name server permanently lose functionality.V-214200MEDIUMThe DNS server implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.V-214201HIGHThe DNS server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.V-214202MEDIUMThe Zone Signing Key (ZSK) rollover interval must be configured to less than two months.V-214203MEDIUMNSEC3 must be used for all internal DNS zones.V-214204MEDIUMThe Infoblox system must ensure each NS record in a zone file points to an active name server authoritative for the domain specified in that record.V-214205MEDIUMAll authoritative name servers for a zone must be located on different network segments.V-214206MEDIUMAn authoritative name server must be configured to enable DNSSEC Resource Records.V-214207HIGHDigital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.V-214208MEDIUMFor zones split between the external and internal sides of a network, the RRs for the external hosts must be separate from the RRs for the internal hosts.V-214209MEDIUMIn a split DNS configuration, where separate name servers are used between the external and internal networks, the external name server must be configured to not be reachable from inside resolvers.V-214210MEDIUMIn a split DNS configuration, where separate name servers are used between the external and internal networks, the internal name server must be configured to not be reachable from outside resolvers.V-214211MEDIUMThe DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights.V-214212MEDIUMThe DNS implementation must implement internal/external role separation.V-214213MEDIUMThe Infoblox system must utilize valid root name servers in the local root zone file.V-214214HIGHThe Infoblox NIOS version must be at the appropriate version.V-214215MEDIUMThe IP address for hidden master authoritative name servers must not appear in the name servers set in the zone database.V-214216MEDIUMThe platform on which the name server software is hosted must be configured to respond to DNS traffic only.V-214217MEDIUMThe platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port.V-214218MEDIUMThe private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware primary authoritative name server when the name server does not support dynamic updates.V-214219MEDIUMCNAME records must not point to a zone with lesser security for more than six months.V-214220MEDIUMThe Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-214221LOWThe Infoblox system must be configured to display the appropriate security classification information.V-214222LOWThe Infoblox system must be configured with the approved DoD notice and consent banner.V-214223MEDIUMInfoblox Grid configuration must be backed up on a regular basis.V-214224HIGHInfoblox systems must be configured with current DoD password restrictions.V-214225MEDIUMThe DHCP service must not be enabled on an external authoritative name server.V-214226MEDIUMA secure Out Of Band (OOB) network must be utilized for management of Infoblox Grid Members.V-219058MEDIUMAll authoritative name servers for a zone must be geographically disbursed.