The F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-265990 | F5BI-DN-300036 | SV-265990r1024864_rule | High |
| Description |
| DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed. |
| STIG | Date |
| F5 BIG-IP TMOS DNS Security Technical Implementation Guide | 2024-09-09 |
Details
| Check Text (C-69913r1024499_chk) |
| If the BIG-IP is transferring zones from another non-BIG-IP DNS server perform the following. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Click on the Zone Name. 4. Under the TSIG section verify a "Server Key" is selected. From the BIG-IP Console, type the following commands: tmsh list ltm dns zone <name> server-tsig-key Note: Must return a value other than "none". If the BIG-IP appliance is not configured to protect the authenticity of communications sessions for zone transfers, this is a finding. |
| Fix Text (F-69816r1024863_fix) |
| From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Click on the Zone Name. 4. Under the TSIG section, select a "Server Key" from the drop-down menu. 5. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify ltm dns zone <zone name> server-tsig-key <TSIG key name> tmsh save sys config |