Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the BIG-IP does not have the role of authoritative DNS server, this is not applicable. From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Profiles. 4. DNS. 5. Click the name of the profile used for the authoritative listener. 6. Verify the following settings: a. Use BIND Server on BIG-IP: Disabled b. DNS Cache: Disabled If the BIG-IP appliance is not configured to prohibit recursion on authoritative name servers, this is a finding.
If the BIG-IP has the role of authoritative DNS server, then configure as follows. From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Profiles. 4. DNS. 5. Click the name of the profile used for the authoritative listener. 6. Configure the following settings: a. Use BIND Server on BIG-IP: Disabled b. DNS Cache: Disabled 7. Click "Update".
KSK validity period: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Verify the "Signature Validity Period" is between two and seven days. ZSK validity period: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the ZSK. 6. Verify the "Signature Validity Period" is between two and seven days. If the BIG-IP appliance is not configured with a validity period for the RRSIGs covering a zones DNSKEY RRSet of no less than two days and no more than one week, this is a finding.
KSK validity period: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Configure the "Signature Validity Period" to between two and seven days. 7. Click "Update". ZSK validity period: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the ZSK. 6. Configure the "Signature Validity Period" to between two and seven days. 7. Click "Update".
DNSSEC Keys: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. DNSSEC Zones. 4. DNSSEC Zone List. 5. Click the name of the zone. 6. Verify a key is selected for both "Zone Signing Key" and "Key Signing Key". TSIG Key: 1. DNS. 2. Delivery. 3. Nameservers. 4. Nameserver List. 5. Click the name of the Nameserver. 6. Verify a value is selected for "TSIG Key". If the BIG-IP DNS implementation is not configured to enable DNSSEC Resource Records, this is a finding.
DNSSEC Keys: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. DNSSEC Zones. 4. DNSSEC Zone List. 5. Click the name of the zone. 6. Move a key for both "Zone Signing Key" and "Key Signing Key" into the "Active" column. 7. Click "Update". Note: To create a Zone Signing Key and/or Key Signing Key, go to DNS >> Delivery >> Keys >> DNSSEC Key List. TSIG Key: 1. DNS. 2. Delivery. 3. Nameservers. 4. Nameserver List. 5. Click on the name of the Nameserver. 6. Select a value from the drop-down for "TSIG Key". 7. Click "Update". Note: To create a TSIG Key, go to DNS >> Delivery >> Keys >> TSIG Key List.
If the BIG-IP is transferring zones from another non-BIG-IP DNS server perform the following. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Zone List. 4. Click on the name of the Zone. 5. Verify "Zone Transfer Clients" >> "Active" column shows only the nameservers that are allowed to request zone transfers. If the BIG-IP appliance is not configured to limit the secondary name servers from which an authoritative name server receives zone transfer requests, this is a finding.
From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Zone List. 4. Click on the Name of the Zone. 5. Move only Nameservers to the "Active" column under "Zone Transfer Clients" that are allowed to request zone transfers. 6. Click "Update".
This is only applicable if DNS recursion is being performed by the BIG-IP AND a custom root hint list must be defined. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Zone List. 5. Verify there is no Zone Name called ".". 6. If a "." Zone Name exists, log in to the BIG-IP CLI and run the following commands: cat /var/named/config/namedb/db.external.named.root. 7. Verify valid root name servers are configured. If the BIG-IP appliance is not configured to use valid root name servers in the local root zone file, this is a finding.
This is only applicable if DNS recursion is being performed by the BIG-IP AND a custom root hint list must be defined. Enable recursion for named: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Named Configuration. 5. Change the recursion option to "recursion yes;". 6. Click "Update". Create a hint zone using ZoneRunner: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Zone List. 5. Create. 6. For the View Name option, select the view for which the hint zone will apply. 7. For the Zone Name, enter a period character "." (without quotes). 8. For the Zone Type, select "Hint". 9. Change the Zone File Name to "db.external.named.root." (without quotes). 10. Click "Finished". Edit the hint zone file: From the BIG-IP CLI: 1. Edit the root hint file: vi /var/named/config/namedb/db.external.named.root. 2. Paste the list of valid root name servers. Note: A copy of the latest root server list can be found at the following location: http://www.internic.net/zones/named.cache. 3. Save the file. 4. Update the time stamp on: /var/named/config/named.conf touch /var/named/config/named.conf 5. Restart named: tmsh restart /sys service named 6. Restart zrd: tmsh restart /sys service zrd Note: The hint zone does not display any information when viewed in the ZoneRunner Configuration utility. The information is used by named for the purpose of querying and receiving the most up-to-date list of root servers. It cannot be updated or modified using the ZoneRunner utility.
If the BIG-IP does not have the role of authoritative DNS server, this is not applicable. From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Verify the list of virtual servers are not configured to listen for non-DNS services. If the BIG-IP appliance is configured to respond traffic other than DNS, this is a finding.
From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. For any virtual servers listening that are not associated with DNS, check the box next to the virtual server and click "Delete". 4. Click "Delete" again.
Verify automatically managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process have been configured. On the Main tab, click "DNS Delivery Keys DNSSEC Key List". The DNSSEC Key List screen opens. If the Digital signature algorithm used for DNSSEC-enabled zones is not set to use RSA/SHA256 or RSASHA512, this is a finding.
Create automatically managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process. 1. On the Main tab, click "DNS Delivery Keys DNSSEC Key List". The DNSSEC Key List screen opens. 2. Click "Create". The New DNSSEC Key screen opens. 3. In the "Name" field, type a name for the key. Zone names are limited to 63 characters. 4. From the "Type" list, select "Zone Signing Key". 5. From the "State" list, select "Enabled". 6. From the "Hardware Security Module" list, select "None". 7. From the "Algorithm" list, select the digest algorithm the system uses to generate the key signature. Select RSA/SHA256 or RSA/SHA512. 8. From the "Key Management" list, select "Automatic". The Key Settings area displays fields for key configuration. 9. In the "Bit Width" field, type "1024". 10. In the "TTL" field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 11. For the "Rollover Period" setting, in the "Days" field, type "21". 12. For the "Expiration Period" setting, in the "Days" field, type "30". Zero seconds indicates not set, and thus the key does not expire. 13. For the "Signature Validity Period" setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired. 14. For the "Signature Publication Period" setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached. 15. Click "Finished". To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select "Disabled" from the State list.
From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Nameservers. 4. Click the Name of the Nameserver. 5. Verify that a value is selected for "TSIG Key". If the BIG-IP appliance is not configured to validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer), this is a finding.
From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Nameservers. 4. Click the Name of the Nameserver. 5. Select a value from the "TSIG Key" drop-down menu. Note: To create a TSIG Key, go to DNS >> Delivery >> Keys >> TSIG Key List. 6. Click "Finished".
From the BIG-IP Console, type the following commands: Note: Assuming you are checking a DNSSEC Zone, from the command line of a management computer, run: dig +dnssec @<DNS Server IP> <DNSSEC zonename> #verify the existence of an RRSET for each zone, which will include, at a minimum, an RRType RRSIG (Resource Record Signature) as well as an RRType DNSKEY and RRType NSEC (Next Secure). DNS Profile: From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Profiles. 4. DNS. 5. Click the name of the DNS profile being used by the listener. 6. Under DNS Features verify "DNSSEC" is set to "Enabled". If the BIG-IP DNS appliance is not configured to provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries, this is a finding.
DNSSEC Keys: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. DNSSEC Zones. 4. DNSSEC Zone List. 5. Click the name of the zone. 6. Move a key for both "Zone Signing Key" and "Key Signing Key" into the "Active" column. 7. Click "Update". Note: To create a Zone Signing Key and/or Key Signing Key go to DNS >> Delivery >> Keys >> DNSSEC Key List. DNS Profile: 1. DNS. 2. Delivery. 3. Profiles. 4. DNS. 5. Click the name of the DNS profile being used by the listener. 6. Under DNS Features set "DNSSEC" to "Enabled". Note: If the setting is grayed out click the box to the right of the setting and then change it. 7. Click "Update".
KSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Verify the "Signature Validity Period" is between two and seven days. ZSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the name of the ZSK. 6. Verify the "Signature Validity Period" is between two and seven days. If the BIG-IP appliance is not configured with a validity period for the RRSIGs covering a zones DNSKEY RRSet of no less than two days and no more than one week, this is a finding.
KSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the KSK. 6. Configure the "Signature Validity Period" to two and seven days. 7. Click "Update". ZSK validity period From the BIG-IP GUI: 1. DNS. 2. Delivery. 3. Keys. 4. DNSSEC Key List. 5. Click the Name of the ZSK. 6. Configure the "Signature Validity Period" to two and seven days. 7. Click "Update".
If the BIG-IP is transferring zones from another non-BIG-IP DNS server perform the following. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Click on the Zone Name. 4. Under the TSIG section verify a "Server Key" is selected. From the BIG-IP Console, type the following commands: tmsh list ltm dns zone <name> server-tsig-key Note: Must return a value other than "none". If the BIG-IP appliance is not configured to protect the authenticity of communications sessions for zone transfers, this is a finding.
From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Click on the Zone Name. 4. Under the TSIG section, select a "Server Key" from the drop-down menu. 5. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify ltm dns zone <zone name> server-tsig-key <TSIG key name> tmsh save sys config
From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand DNS and verify the "State" is set to "Mitigate" for all signatures. If the BIG-IP appliance is not configured to restrict the ability of individuals to use the DNS server to launch DoS attacks against other information systems, this is a finding.
This requires the AFM license or can be implemented using another firewall's ACL. From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand DNS and do the following for each: a. Check the box at the top of the list of signatures to select all. b. Set "Set State" to "Mitigate". c. Click "Commit Changes to System". Note: Sites must operationally test, adjust thresholds, or initially use learning mode prior to turning on mitigation to prevent operational impacts, particularly in implementations with large traffic volumes.