Detections
Analytics
F5BI-DN-300036 - The F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.
Information
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks.If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.
Solution
From the BIG-IP GUI:1. DNS.
2. Zones.
3. Click on the Zone Name.
4. Under the TSIG section, select a "Server Key" from the drop-down menu.
5. Click "Update".
From the BIG-IP Console, type the following commands:
tmsh modify ltm dns zone <zone name> server-tsig-key <TSIG key name>
tmsh save sys config
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_TMOS_Y24M09_STIG.zip
Item Details
Audit Name: DISA F5 BIG-IP TMOS DNS STIG v1r1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-23, CAT|I, CCI|CCI-001184, Rule-ID|SV-265990r1024864_rule, STIG-ID|F5BI-DN-300036, Vuln-ID|V-265990
Plugin: F5
Control ID: f6c475b2cc4e9427caae034326b695fe2ad994436be7f72f2255c3f8fc4af7aa