The F5 BIG-IP DNS must use valid root name servers in the local root zone file.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-265984	SRG-APP-000516-DNS-000102	F5BI-DN-300015	SV-265984r1024858_rule	2024-09-09	1

Description
All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a noncaching server (as recommended), they can either be configured to return a referral to the root servers or they can be configured to refuse to answer the query. The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources doing what its intended purpose is, answering authoritatively for its zone.

Description

All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the caching name server to a bogus root server. At that point, every query response from that name server is suspect, which would give the adversary substantial control over the network communication of the name servers' clients. When authoritative servers are sent queries for zones that they are not authoritative for, and they are configured as a noncaching server (as recommended), they can either be configured to return a referral to the root servers or they can be configured to refuse to answer the query. The recommendation is to configure authoritative servers to refuse to answer queries for any zones for which they are not authoritative. This is more efficient for the server and allows it to spend more of its resources doing what its intended purpose is, answering authoritatively for its zone.

ℹ️ Check
This is only applicable if DNS recursion is being performed by the BIG-IP AND a custom root hint list must be defined. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Zone List. 5. Verify there is no Zone Name called ".". 6. If a "." Zone Name exists, log in to the BIG-IP CLI and run the following commands: cat /var/named/config/namedb/db.external.named.root. 7. Verify valid root name servers are configured. If the BIG-IP appliance is not configured to use valid root name servers in the local root zone file, this is a finding.

ℹ️ Check

This is only applicable if DNS recursion is being performed by the BIG-IP AND a custom root hint list must be defined. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Zone List. 5. Verify there is no Zone Name called ".". 6. If a "." Zone Name exists, log in to the BIG-IP CLI and run the following commands: cat /var/named/config/namedb/db.external.named.root. 7. Verify valid root name servers are configured. If the BIG-IP appliance is not configured to use valid root name servers in the local root zone file, this is a finding.

✔️ Fix
This is only applicable if DNS recursion is being performed by the BIG-IP AND a custom root hint list must be defined. Enable recursion for named: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Named Configuration. 5. Change the recursion option to "recursion yes;". 6. Click "Update". Create a hint zone using ZoneRunner: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Zone List. 5. Create. 6. For the View Name option, select the view for which the hint zone will apply. 7. For the Zone Name, enter a period character "." (without quotes). 8. For the Zone Type, select "Hint". 9. Change the Zone File Name to "db.external.named.root." (without quotes). 10. Click "Finished". Edit the hint zone file: From the BIG-IP CLI: 1. Edit the root hint file: vi /var/named/config/namedb/db.external.named.root. 2. Paste the list of valid root name servers. Note: A copy of the latest root server list can be found at the following location: http://www.internic.net/zones/named.cache. 3. Save the file. 4. Update the time stamp on: /var/named/config/named.conf touch /var/named/config/named.conf 5. Restart named: tmsh restart /sys service named 6. Restart zrd: tmsh restart /sys service zrd Note: The hint zone does not display any information when viewed in the ZoneRunner Configuration utility. The information is used by named for the purpose of querying and receiving the most up-to-date list of root servers. It cannot be updated or modified using the ZoneRunner utility.

✔️ Fix

This is only applicable if DNS recursion is being performed by the BIG-IP AND a custom root hint list must be defined. Enable recursion for named: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Named Configuration. 5. Change the recursion option to "recursion yes;". 6. Click "Update". Create a hint zone using ZoneRunner: From the BIG-IP GUI: 1. DNS. 2. Zones. 3. ZoneRunner. 4. Zone List. 5. Create. 6. For the View Name option, select the view for which the hint zone will apply. 7. For the Zone Name, enter a period character "." (without quotes). 8. For the Zone Type, select "Hint". 9. Change the Zone File Name to "db.external.named.root." (without quotes). 10. Click "Finished". Edit the hint zone file: From the BIG-IP CLI: 1. Edit the root hint file: vi /var/named/config/namedb/db.external.named.root. 2. Paste the list of valid root name servers. Note: A copy of the latest root server list can be found at the following location: http://www.internic.net/zones/named.cache. 3. Save the file. 4. Update the time stamp on: /var/named/config/named.conf touch /var/named/config/named.conf 5. Restart named: tmsh restart /sys service named 6. Restart zrd: tmsh restart /sys service zrd Note: The hint zone does not display any information when viewed in the ZoneRunner Configuration utility. The information is used by named for the purpose of querying and receiving the most up-to-date list of root servers. It cannot be updated or modified using the ZoneRunner utility.