The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-265985 | F5BI-DN-300016 | SV-265985r1024493_rule | Medium |
| Description |
| Hosts that run the name server software must not provide any other services and therefore must be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts must be 53/udp and 53/tcp. Outgoing DNS messages must be sent from a random port to minimize the risk of an attacker's guessing the outgoing message port and sending forged replies. BIG-IP is often used to proxy DNS along with other services. The requirement speaks to the "name server software", but if we are proxying for the name server then we do not need to limit listeners to DNS only. |
| STIG | Date |
| F5 BIG-IP TMOS DNS Security Technical Implementation Guide | 2024-09-09 |
Details
| Check Text (C-69908r1023210_chk) |
| If the BIG-IP does not have the role of authoritative DNS server, this is not applicable. From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Verify the list of virtual servers are not configured to listen for non-DNS services. If the BIG-IP appliance is configured to respond traffic other than DNS, this is a finding. |
| Fix Text (F-69811r1023211_fix) |
| From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. For any virtual servers listening that are not associated with DNS, check the box next to the virtual server and click "Delete". 4. Click "Delete" again. |