The F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-265990	SRG-APP-000219-DNS-000028	F5BI-DN-300036	SV-265990r1024864_rule	2024-09-09	1

Description
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks. If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed.

ℹ️ Check
If the BIG-IP is transferring zones from another non-BIG-IP DNS server perform the following. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Click on the Zone Name. 4. Under the TSIG section verify a "Server Key" is selected. From the BIG-IP Console, type the following commands: tmsh list ltm dns zone <name> server-tsig-key Note: Must return a value other than "none". If the BIG-IP appliance is not configured to protect the authenticity of communications sessions for zone transfers, this is a finding.

ℹ️ Check

If the BIG-IP is transferring zones from another non-BIG-IP DNS server perform the following. From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Click on the Zone Name. 4. Under the TSIG section verify a "Server Key" is selected. From the BIG-IP Console, type the following commands: tmsh list ltm dns zone <name> server-tsig-key Note: Must return a value other than "none". If the BIG-IP appliance is not configured to protect the authenticity of communications sessions for zone transfers, this is a finding.

✔️ Fix
From the BIG-IP GUI: 1. DNS. 2. Zones. 3. Click on the Zone Name. 4. Under the TSIG section, select a "Server Key" from the drop-down menu. 5. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify ltm dns zone <zone name> server-tsig-key <TSIG key name> tmsh save sys config