STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 1 hour ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Infoblox 8.x DNS Security Technical Implementation Guide

Version

V1R2

Release Date

Mar 11, 2025

SCAP Benchmark ID

Infoblox_8_DNS_STIG

Total Checks

71

Tags

other

CAT I: 7CAT II: 64CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (71)

V-233855MEDIUMInfoblox systems that perform zone transfers to non-Grid DNS service members must limit the number of concurrent sessions for zone transfers.V-233856MEDIUMThe Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.V-233857MEDIUMThe Infoblox DNS service member must not reveal sensitive information to an attacker. This includes Host Information (HINFO), Responsible Person (RP), Location (LOC) resource, and sensitive text string resource (TXT) record data.V-233858MEDIUMThe Infoblox system audit records must be backed up at least every seven days onto a different system or system component than the system or component being audited.V-233859MEDIUMAll authoritative DNS service members for a zone must be geographically dispersed.V-233860MEDIUMRecursion must be disabled on Infoblox DNS service members that are configured as External Authoritative DNS service members.V-233861MEDIUMThe validity period for the Resource Record Signatures (RRSIGs) covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.V-233862MEDIUMNSEC3 must be used for all DNSSEC signed zones.V-233863MEDIUMThe Infoblox DNS service member must be configured so that each DNS service member record in a zone file points to an active DNS service member authoritative for the domain specified in that record.V-233864MEDIUMAll authoritative DNS service members for a zone must be located on different network segments.V-233865MEDIUMAll authoritative DNS service members for a zone must have the same version of zone information.V-233866MEDIUMAn External authoritative DNS service member must be configured to enable DNSSEC resource records.V-233867HIGHThe digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.V-233868MEDIUMFor zones split between the external and internal sides of a network, the resource records (RRs) for the external hosts must be separate from the RRs for the internal hosts.V-233869MEDIUMIn a split DNS configuration, where separate DNS service members are used between the external and internal networks, the external DNS service member must be configured to not be reachable from inside resolvers.V-233870MEDIUMIn a split DNS configuration, where separate DNS service members are used between the external and internal networks, the internal DNS service member must be configured to not be reachable from outside resolvers.V-233871MEDIUMPrimary authoritative DNS service members must be configured to only receive zone transfer requests from specified secondary DNS service members.V-233872MEDIUMThe Infoblox system must use a security policy that limits the propagation of access rights.V-233873MEDIUMThe DNS implementation must implement internal/external role separation.V-233874MEDIUMThe Infoblox DNS service member must use current and valid root DNS service members.V-233875MEDIUMThe Infoblox NIOS version must be at the appropriate version.V-233876MEDIUMThe IP address for hidden master authoritative DNS service members must not appear in the DNS service members set in the zone database.V-233877MEDIUMThe Infoblox system must be configured to respond to DNS traffic only.V-233878MEDIUMThe Infoblox DNS service member must send outgoing DNS messages from a random port.V-233879HIGHThe private keys corresponding to both the Zone Signing Key (ZSK) and the Key Signing Key (KSK) must not be kept on the DNSSEC-aware primary authoritative DNS service member when the DNS service member does not support dynamic updates.V-233880MEDIUMCNAME records must not point to a zone with lesser security for more than six months.V-233881MEDIUMThe Infoblox system must use the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-233882HIGHA secure out-of-band (OOB) network must be used for management of Infoblox Grid Members.V-233883HIGHInfoblox systems must enforce current DoD password restrictions.V-233884MEDIUMInfoblox Grid configuration must be backed up on a regular basis.V-233885MEDIUMThe Infoblox system must display the approved DoD notice and consent banner.V-233886MEDIUMThe Infoblox system must display the appropriate security classification information.V-233887MEDIUMThe Infoblox system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-233888MEDIUMThe Infoblox system must present only approved TLS and SSL cipher suites.V-233889MEDIUMAn Infoblox DNS service member must strongly bind the identity of the DNS service member with the DNS information using DNSSEC.V-233890MEDIUMThe Infoblox system must provide the means for authorized individuals to determine the identity of the source of the DNS service member-provided information.V-233891MEDIUMThe Infoblox system must validate the binding of the other DNS service members' identity to the DNS information for a server-to-server transaction (e.g., zone transfer).V-233892MEDIUMThe Infoblox system must send a notification in the event of an error when validating the binding of another DNS service member's identity to the DNS information.V-233893MEDIUMThe Infoblox DNS service member must provide data origin artifacts for internal name/address resolution queries.V-233894MEDIUMThe Infoblox DNS service member must provide data integrity protection artifacts for internal name/address resolution queries.V-233895MEDIUMThe Infoblox system must notify the system administrator when a component failure is detected.V-233896MEDIUMThe Infoblox DNS service member implementation must follow procedures to promote a secondary DNS service member to the role of primary DNS service member in the event the current primary DNS service member permanently loses functionality.V-233897MEDIUMThe Infoblox system must prohibit or restrict unapproved services, ports, and protocols.V-233898MEDIUMThe Infoblox system must require devices to reauthenticate for each zone transfer and dynamic update request connection attempt.V-233899MEDIUMWhen using third-party DNS servers for zone transfers, each DNS server must use TSIG to uniquely identify the other server.V-233900MEDIUMThe Infoblox DNS service member must authenticate to any external (non-Grid) DNS service members before responding to a server-to-server transaction.V-233901MEDIUMThe Infoblox DNS service member must authenticate another DNS service member before establishing a remote and/or network connection using bidirectional authentication that is cryptographically based.V-233902MEDIUMInfoblox systems that communicate with non-Grid DNS service members must use a unique Transaction Signature (TSIG).V-233903HIGHThe Infoblox Grid Master must be configured as a stealth (hidden) domain DNS service member to protect the Key Signing Key (KSK) residing on it.V-233904HIGHThe Infoblox Grid Master must be configured as a stealth (hidden) domain DNS service member in order to protect the Zone Signing Key (ZSK) residing on it.V-233905MEDIUMThe Infoblox system must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.V-233906HIGHThe Infoblox DNS service member must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality.V-233907MEDIUMThe Infoblox system must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.V-233908MEDIUMThe Infoblox DNS service member must provide additional integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.V-233909MEDIUMThe Infoblox DNS service member implementation must provide the means to indicate the security status of child zones.V-233910MEDIUMThe validity period for the Resource Record Signatures (RRSIGs) covering the Delegation Signer (DS) RR for a zone's delegated children must be no less than two days and no more than one week.V-233911MEDIUMThe Infoblox DNS service member implementation must enforce approved authorizations for controlling the flow of information between DNS service members and between DNS service members and DNS clients based on TSIG policies.V-233912MEDIUMThe Infoblox DNS service member must enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).V-233913MEDIUMThe Infoblox DNS service member must request data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.V-233917MEDIUMInfoblox DNS service members must protect the authenticity of communications sessions for zone transfers when communicating with external DNS service members (i.e., DNS systems outside the Infoblox grid).V-233918MEDIUMInfoblox DNS service members must protect the authenticity of communications sessions for dynamic updates.V-233919MEDIUMInfoblox DNS service members must protect the authenticity of communications sessions for queries.V-233920MEDIUMIn the event of a system failure, the Infoblox system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.V-233921MEDIUMThe Infoblox system must restrict the ability of individuals to use the DNS service member to launch denial-of-Service (DoS) attacks against other information systems.V-233922MEDIUMThe Infoblox system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information-flooding types of denial-of-service (DoS) attacks.V-233923MEDIUMThe Infoblox DNS service member must protect the integrity of transmitted information.V-233924MEDIUMThe Infoblox DNS service member must implement cryptographic mechanisms to detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).V-233925MEDIUMThe Infoblox DNS service member implementation must maintain the integrity of information during preparation for transmission.V-233926MEDIUMThe Infoblox DNS service member implementation must maintain the integrity of information during reception.V-233927MEDIUMThe Infoblox system must notify the ISSO and ISSM in the event of failed security verification tests.V-233928MEDIUMThe Infoblox DNS service member implementation must log the event and notify the system administrator when anomalies in the operation of the signed zone transfers are discovered.