F5 BIG-IP TMOS DNS Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2024-09-09
  • Released: 2024-09-26
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The F5 BIG-IP DNS implementation must prohibit recursion on authoritative name servers.
CM-6 - Medium - CCI-000366 - V-265980 - SV-265980r1024486_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-DN-300011
Vuln IDs
  • V-265980
Rule IDs
  • SV-265980r1024486_rule
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service), or worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains must be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation. DNSSEC ensures that the answer received when querying for name resolution actually comes from a trusted name server. Since DNSSEC is still far from being globally deployed external to DOD, and many resolvers either have not been updated or do not support DNSSEC, maintaining cached zone data separate from authoritative zone data mitigates the gap until all DNS data is validated with DNSSEC. Since DNS forwarding of queries can be accomplished in some DNS applications without caching locally, DNS forwarding is the method to be used when providing external DNS resolution to internal clients.
Checks: C-69903r1023195_chk

If the BIG-IP does not have the role of authoritative DNS server, this is not applicable. From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Profiles. 4. DNS. 5. Click the name of the profile used for the authoritative listener. 6. Verify the following settings: a. Use BIND Server on BIG-IP: Disabled b. DNS Cache: Disabled If the BIG-IP appliance is not configured to prohibit recursion on authoritative name servers, this is a finding.

Fix: F-69806r1023196_fix

If the BIG-IP has the role of authoritative DNS server, then configure as follows. From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Profiles. 4. DNS. 5. Click the name of the profile used for the authoritative listener. 6. Configure the following settings: a. Use BIND Server on BIG-IP: Disabled b. DNS Cache: Disabled 7. Click "Update".

b
The validity period for the RRSIGs covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.
CM-6 - Medium - CCI-000366 - V-265981 - SV-265981r1024487_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-DN-300012
Vuln IDs
  • V-265981
Rule IDs
  • SV-265981r1024487_rule
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods must be short, which will require frequent re-signing. To minimize the impact of a compromised ZSK, a zone administrator must set a signature validity period of one week for RRSIGs covering the DNSKEY RRSet in the zone (the RRSet that contains the ZSK and KSK for the zone). The DNSKEY RRSet can be re-signed without performing a ZSK rollover, but scheduled ZSK rollover must still be performed at regular intervals.
Checks: C-69904r1023198_chk

KSK validity period: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Verify the "Signature Validity Period" is between two and seven days. ZSK validity period: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the ZSK. 6. Verify the "Signature Validity Period" is between two and seven days. If the BIG-IP appliance is not configured with a validity period for the RRSIGs covering a zones DNSKEY RRSet of no less than two days and no more than one week, this is a finding.

Fix: F-69807r1023199_fix

KSK validity period: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Configure the "Signature Validity Period" to between two and seven days. 7. Click "Update". ZSK validity period: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the ZSK. 6. Configure the "Signature Validity Period" to between two and seven days. 7. Click "Update".

b
An authoritative name server must be configured to enable DNSSEC Resource Records.
CM-6 - Medium - CCI-000366 - V-265982 - SV-265982r1024488_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-DN-300013
Vuln IDs
  • V-265982
Rule IDs
  • SV-265982r1024488_rule
The specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF's DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor. After authenticating the source, the next process DNSSEC calls for is to authenticate the response. DNSSEC mechanisms involve two main processes: sign and serve, and verify signature. Before a DNSSEC-signed zone can be deployed, a name server must be configured to enable DNSSEC processing. Satisfies: SRG-APP-000516-DNS-000089, SRG-APP-000347-DNS-000041, SRG-APP-000348-DNS-000042, SRG-APP-000420-DNS-000053, SRG-APP-000421-DNS-000054, SRG-APP-000158-DNS-000015, SRG-APP-000422-DNS-000055, SRG-APP-000215-DNS-000003, SRG-APP-000423-DNS-000056, SRG-APP-000424-DNS-000057, SRG-APP-000425-DNS-000058, SRG-APP-000426-DNS-000059, SRG-APP-000219-DNS-000030
Checks: C-69905r1023201_chk

DNSSEC Keys: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. DNSSEC Zones. 4. DNSSEC Zone List. 5. Click the name of the zone. 6. Verify a key is selected for both "Zone Signing Key" and "Key Signing Key". TSIG Key: 1. DNS. 2. Delivery. 3. Nameservers. 4. Nameserver List. 5. Click the name of the Nameserver. 6. Verify a value is selected for "TSIG Key". If the BIG-IP DNS implementation is not configured to enable DNSSEC Resource Records, this is a finding.

Fix: F-69808r1023202_fix

DNSSEC Keys: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. DNSSEC Zones. 4. DNSSEC Zone List. 5. Click the name of the zone. 6. Move a key for both "Zone Signing Key" and "Key Signing Key" into the "Active" column. 7. Click "Update". Note: To create a Zone Signing Key and/or Key Signing Key, go to DNS >> Delivery >> Keys >> DNSSEC Key List. TSIG Key: 1. DNS. 2. Delivery. 3. Nameservers. 4. Nameserver List. 5. Click on the name of the Nameserver. 6. Select a value from the drop-down for "TSIG Key". 7. Click "Update". Note: To create a TSIG Key, go to DNS >> Delivery >> Keys >> TSIG Key List.

b
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.
CM-6 - Medium - CCI-000366 - V-265983 - SV-265983r1024490_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-DN-300014
Vuln IDs
  • V-265983
Rule IDs
  • SV-265983r1024490_rule
Authoritative name servers (especially primary name servers) must be configured with an allow-transfer access control substatement designating the list of hosts from which zone transfer requests can be accepted. These restrictions address the denial-of-service (DoS) threat and potential exploits from unrestricted dissemination of information about internal resources. Based on the need-to-know, the only name servers that need to refresh their zone files periodically are the secondary name servers. Zone transfer from primary name servers must be restricted to secondary name servers. The zone transfer must be completely disabled in the secondary name servers. The address match list argument for the allow-transfer substatement must consist of IP addresses of secondary name servers and stealth secondary name servers.
Checks: C-69906r1024489_chk

If the BIG-IP is transferring zones from another non-BIG-IP DNS server perform the following. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Zone List. 4. Click on the name of the Zone. 5. Verify "Zone Transfer Clients" >> "Active" column shows only the nameservers that are allowed to request zone transfers. If the BIG-IP appliance is not configured to limit the secondary name servers from which an authoritative name server receives zone transfer requests, this is a finding.

Fix: F-69809r1023205_fix

From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Zone List. 4. Click on the Name of the Zone. 5. Move only Nameservers to the "Active" column under "Zone Transfer Clients" that are allowed to request zone transfers. 6. Click "Update".

b
The F5 BIG-IP DNS must use valid root name servers in the local root zone file.
CM-6 - Medium - CCI-000366 - V-265984 - SV-265984r1024858_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-DN-300015
Vuln IDs
  • V-265984
Rule IDs
  • SV-265984r1024858_rule
All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a noncaching server (as recommended), they can either be configured to return a referral to the root servers or they can be configured to refuse to answer the query. The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources doing what its intended purpose is, answering authoritatively for its zone.
Checks: C-69907r1023207_chk

This is only applicable if DNS recursion is being performed by the BIG-IP AND a custom root hint list must be defined. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Zone List. 5. Verify there is no Zone Name called ".". 6. If a "." Zone Name exists, log in to the BIG-IP CLI and run the following commands: cat /var/named/config/namedb/db.external.named.root. 7. Verify valid root name servers are configured. If the BIG-IP appliance is not configured to use valid root name servers in the local root zone file, this is a finding.

Fix: F-69810r1024857_fix

This is only applicable if DNS recursion is being performed by the BIG-IP AND a custom root hint list must be defined. Enable recursion for named: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Named Configuration. 5. Change the recursion option to "recursion yes;". 6. Click "Update". Create a hint zone using ZoneRunner: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Zone List. 5. Create. 6. For the View Name option, select the view for which the hint zone will apply. 7. For the Zone Name, enter a period character "." (without quotes). 8. For the Zone Type, select "Hint". 9. Change the Zone File Name to "db.external.named.root." (without quotes). 10. Click "Finished". Edit the hint zone file: From the BIG-IP CLI: 1. Edit the root hint file: vi /var/named/config/namedb/db.external.named.root. 2. Paste the list of valid root name servers. Note: A copy of the latest root server list can be found at the following location: http://www.internic.net/zones/named.cache. 3. Save the file. 4. Update the time stamp on: /var/named/config/named.conf touch /var/named/config/named.conf 5. Restart named: tmsh restart /sys service named 6. Restart zrd: tmsh restart /sys service zrd Note: The hint zone does not display any information when viewed in the ZoneRunner Configuration utility. The information is used by named for the purpose of querying and receiving the most up-to-date list of root servers. It cannot be updated or modified using the ZoneRunner utility.

b
The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
CM-6 - Medium - CCI-000366 - V-265985 - SV-265985r1024493_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-DN-300016
Vuln IDs
  • V-265985
Rule IDs
  • SV-265985r1024493_rule
Hosts that run the name server software must not provide any other services and therefore must be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts must be 53/udp and 53/tcp. Outgoing DNS messages must be sent from a random port to minimize the risk of an attacker's guessing the outgoing message port and sending forged replies. BIG-IP is often used to proxy DNS along with other services. The requirement speaks to the "name server software", but if we are proxying for the name server then we do not need to limit listeners to DNS only.
Checks: C-69908r1023210_chk

If the BIG-IP does not have the role of authoritative DNS server, this is not applicable. From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Verify the list of virtual servers are not configured to listen for non-DNS services. If the BIG-IP appliance is configured to respond traffic other than DNS, this is a finding.

Fix: F-69811r1023211_fix

From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. For any virtual servers listening that are not associated with DNS, check the box next to the virtual server and click "Delete". 4. Click "Delete" again.

c
The digital signature algorithm used for DNSSEC-enabled zones must be set to use RSA/SHA256 or RSA/SHA512.
CM-6 - High - CCI-000366 - V-265986 - SV-265986r1024860_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
F5BI-DN-300017
Vuln IDs
  • V-265986
Rule IDs
  • SV-265986r1024860_rule
The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices: - Digital Signature Algorithm (DSA); - RSA; - Elliptic Curve DSA (ECDSA). Of these three algorithms, RSA and DSA are more widely available, and hence are considered candidates of choice for DNSSEC. In terms of performance, both RSA and DSA have comparable signature generation speeds, but DSA is much slower for signature verification. Hence, RSA is the recommended algorithm as far as this guideline is concerned. RSA with SHA-1 is currently the only cryptographic algorithm mandated to be implemented with DNSSEC, although other algorithm suites (e.g., RSA/SHA-256, ECDSA) are also specified. It can be expected that name servers and clients will be able to use the RSA algorithm at the minimum. It is suggested that at least one ZSK for a zone use the RSA algorithm. SHA-256, SHA-384, and SHA-512 are approved hash algorithms to be used as part of the algorithm suite for generating digital signatures. It is expected that there will be support for Elliptic Curve Cryptography in the DNSSEC.
Checks: C-69909r1024859_chk

Verify automatically managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process have been configured. On the Main tab, click "DNS Delivery Keys DNSSEC Key List". The DNSSEC Key List screen opens. If the Digital signature algorithm used for DNSSEC-enabled zones is not set to use RSA/SHA256 or RSASHA512, this is a finding.

Fix: F-69812r1023214_fix

Create automatically managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process. 1. On the Main tab, click "DNS Delivery Keys DNSSEC Key List". The DNSSEC Key List screen opens. 2. Click "Create". The New DNSSEC Key screen opens. 3. In the "Name" field, type a name for the key. Zone names are limited to 63 characters. 4. From the "Type" list, select "Zone Signing Key". 5. From the "State" list, select "Enabled". 6. From the "Hardware Security Module" list, select "None". 7. From the "Algorithm" list, select the digest algorithm the system uses to generate the key signature. Select RSA/SHA256 or RSA/SHA512. 8. From the "Key Management" list, select "Automatic". The Key Settings area displays fields for key configuration. 9. In the "Bit Width" field, type "1024". 10. In the "TTL" field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 11. For the "Rollover Period" setting, in the "Days" field, type "21". 12. For the "Expiration Period" setting, in the "Days" field, type "30". Zero seconds indicates not set, and thus the key does not expire. 13. For the "Signature Validity Period" setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired. 14. For the "Signature Publication Period" setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached. 15. Click "Finished". To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select "Disabled" from the State list.

b
The F5 BIG-IP DNS server implementation must validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer).
CM-6 - Medium - CCI-000366 - V-265987 - SV-265987r1024862_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-DN-300020
Vuln IDs
  • V-265987
Rule IDs
  • SV-265987r1024862_rule
Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically. DNSSEC and TSIG/SIG(0) technologies are not effective unless the digital signatures they generate are validated to ensure that the information has not been tampered with and that the producer's identity is legitimate.
Checks: C-69910r1023216_chk

From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Nameservers. 4. Click the Name of the Nameserver. 5. Verify that a value is selected for "TSIG Key". If the BIG-IP appliance is not configured to validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer), this is a finding.

Fix: F-69813r1024861_fix

From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Nameservers. 4. Click the Name of the Nameserver. 5. Select a value from the "TSIG Key" drop-down menu. Note: To create a TSIG Key, go to DNS >> Delivery >> Keys >> TSIG Key List. 6. Click "Finished".

b
A BIG-IP DNS server implementation must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.
SC-20 - Medium - CCI-001178 - V-265988 - SV-265988r1024496_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001178
Version
F5BI-DN-300028
Vuln IDs
  • V-265988
Rule IDs
  • SV-265988r1024496_rule
The underlying feature in the major threat associated with DNS query/response (e.g., forged response or response failure) is the integrity of DNS data returned in the response. The security objective is to verify the integrity of each response received. An integral part of integrity verification is to ensure that valid data has originated from the right source. Establishing trust in the source is called data origin authentication. The security objectives—and consequently the security services—that are required for securing the DNS query/response transaction are data origin authentication and data integrity verification. The specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF’s DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public key infrastructure [PKI] chaining), but by starting from a trusted zone (such as the root zone) and establishing the chain of trust down to the current source of response through successive verifications of signature of the public key of a child by its parent. The public key of the trusted zone is called the trust anchor.
Checks: C-69911r1023219_chk

From the BIG-IP Console, type the following commands: Note: Assuming you are checking a DNSSEC Zone, from the command line of a management computer, run: dig +dnssec @<DNS Server IP> <DNSSEC zonename> #verify the existence of an RRSET for each zone, which will include, at a minimum, an RRType RRSIG (Resource Record Signature) as well as an RRType DNSKEY and RRType NSEC (Next Secure). DNS Profile: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Profiles. 4. DNS. 5. Click the name of the DNS profile being used by the listener. 6. Under DNS Features verify "DNSSEC" is set to "Enabled". If the BIG-IP DNS appliance is not configured to provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries, this is a finding.

Fix: F-69814r1023220_fix

DNSSEC Keys: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. DNSSEC Zones. 4. DNSSEC Zone List. 5. Click the name of the zone. 6. Move a key for both "Zone Signing Key" and "Key Signing Key" into the "Active" column. 7. Click "Update". Note: To create a Zone Signing Key and/or Key Signing Key go to DNS >> Delivery >> Keys >> DNSSEC Key List. DNS Profile: 1. DNS. 2. Delivery. 3. Profiles. 4. DNS. 5. Click the name of the DNS profile being used by the listener. 6. Under DNS Features set "DNSSEC" to "Enabled". Note: If the setting is grayed out click the box to the right of the setting and then change it. 7. Click "Update".

b
The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.
SC-20 - Medium - CCI-001179 - V-265989 - SV-265989r1024498_rule
RMF Control
SC-20
Severity
Medium
CCI
CCI-001179
Version
F5BI-DN-300030
Vuln IDs
  • V-265989
Rule IDs
  • SV-265989r1024498_rule
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses. An attacker that has compromised a ZSK can use that key only during the KSK's signature validity interval. An attacker that has compromised a KSK can use that key for only as long as the signature interval of the RRSIG covering the DS RR in the delegating parent. These validity periods must be short, which will require frequent resigning. To prevent the impact of a compromised KSK, a delegating parent must set the signature validity period for RRSIGs covering DS RRs in the range of a few days to one week. This resigning does not require frequent rollover of the parent's ZSK, but scheduled ZSK rollover must still be performed at regular intervals.
Checks: C-69912r1023222_chk

KSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Verify the "Signature Validity Period" is between two and seven days. ZSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the name of the ZSK. 6. Verify the "Signature Validity Period" is between two and seven days. If the BIG-IP appliance is not configured with a validity period for the RRSIGs covering a zones DNSKEY RRSet of no less than two days and no more than one week, this is a finding.

Fix: F-69815r1024497_fix

KSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Configure the "Signature Validity Period" to two and seven days. 7. Click "Update". ZSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the ZSK. 6. Configure the "Signature Validity Period" to two and seven days. 7. Click "Update".

c
The F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.
SC-23 - High - CCI-001184 - V-265990 - SV-265990r1024864_rule
RMF Control
SC-23
Severity
High
CCI
CCI-001184
Version
F5BI-DN-300036
Vuln IDs
  • V-265990
Rule IDs
  • SV-265990r1024864_rule
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.
Checks: C-69913r1024499_chk

If the BIG-IP is transferring zones from another non-BIG-IP DNS server perform the following. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Click on the Zone Name. 4. Under the TSIG section verify a "Server Key" is selected. From the BIG-IP Console, type the following commands: tmsh list ltm dns zone <name> server-tsig-key Note: Must return a value other than "none". If the BIG-IP appliance is not configured to protect the authenticity of communications sessions for zone transfers, this is a finding.

Fix: F-69816r1024863_fix

From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Click on the Zone Name. 4. Under the TSIG section, select a "Server Key" from the drop-down menu. 5. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify ltm dns zone <zone name> server-tsig-key <TSIG key name> tmsh save sys config

b
The F5 BIG-IP DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
SC-5 - Medium - CCI-001095 - V-265991 - SV-265991r1024501_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
F5BI-DN-300039
Vuln IDs
  • V-265991
Rule IDs
  • SV-265991r1024501_rule
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. In the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time. A DoS attack against the DNS infrastructure has the potential to cause a DoS to all network users. As the DNS is a distributed backbone service of the internet, various forms of amplification attacks resulting in DoS, while using the DNS, are still prevalent on the internet today. Some potential DoS flooding attacks against the DNS include malformed packet flood, spoofed source addresses, and distributed DoS. Without the DNS, users and systems would not have the ability to perform simple name-to-IP resolution. Configuring the DNS implementation to defend against cache poisoning, employing increased capacity and bandwidth, building redundancy into the DNS architecture, using DNSSEC, limiting and securing recursive services, DNS black holes, etc., may reduce the susceptibility to some flooding types of DoS attacks. Satisfies: SRG-APP-000247-DNS-000036, SRG-APP-000246-DNS-000035
Checks: C-69914r1023228_chk

From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand DNS and verify the "State" is set to "Mitigate" for all signatures. If the BIG-IP appliance is not configured to restrict the ability of individuals to use the DNS server to launch DoS attacks against other information systems, this is a finding.

Fix: F-69817r1023229_fix

This requires the AFM license or can be implemented using another firewall's ACL. From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand DNS and do the following for each: a. Check the box at the top of the list of signatures to select all. b. Set "Set State" to "Mitigate". c. Click "Commit Changes to System". Note: Sites must operationally test, adjust thresholds, or initially use learning mode prior to turning on mitigation to prevent operational impacts, particularly in implementations with large traffic volumes.