STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP TMOS DNS Security Technical Implementation Guide

V-265985

CAT II (Medium)

The platform on which the name server software is hosted must be configured to respond to DNS traffic only.

Rule ID

SV-265985r1024493_rule

STIG

F5 BIG-IP TMOS DNS Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

Hosts that run the name server software must not provide any other services and therefore must be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts must be 53/udp and 53/tcp. Outgoing DNS messages must be sent from a random port to minimize the risk of an attacker's guessing the outgoing message port and sending forged replies. BIG-IP is often used to proxy DNS along with other services. The requirement speaks to the "name server software", but if we are proxying for the name server then we do not need to limit listeners to DNS only.

Check Content

If the BIG-IP does not have the role of authoritative DNS server, this is not applicable.

From the BIG-IP GUI:

1. Local Traffic.
2. Virtual Servers.
3. Verify the list of virtual servers are not configured to listen for non-DNS services.
 
If the BIG-IP appliance is configured to respond traffic other than DNS, this is a finding.

Fix Text

From the BIG-IP GUI:
1. Local Traffic.
2. Virtual Servers.
3. For any virtual servers listening that are not associated with DNS, check the box next to the virtual server and click "Delete".
4. Click "Delete" again.