STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP TMOS DNS Security Technical Implementation Guide

V-265980

CAT II (Medium)

The F5 BIG-IP DNS implementation must prohibit recursion on authoritative name servers.

Rule ID

SV-265980r1024486_rule

STIG

F5 BIG-IP TMOS DNS Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to nonexistent hosts (which constitutes a denial of service), or worse, hosts that masquerade as legitimate ones to obtain sensitive data or passwords. To guard against poisoning, name servers authoritative for .mil domains must be separated functionally from name servers that resolve queries on behalf of internal clients. Organizations may achieve this separation by dedicating machines to each function or, if possible, by running two instances of the name server software on the same machine: one for the authoritative function and the other for the resolving function. In this design, each name server process may be bound to a different IP address or network interface to implement the required segregation. DNSSEC ensures that the answer received when querying for name resolution actually comes from a trusted name server. Since DNSSEC is still far from being globally deployed external to DOD, and many resolvers either have not been updated or do not support DNSSEC, maintaining cached zone data separate from authoritative zone data mitigates the gap until all DNS data is validated with DNSSEC. Since DNS forwarding of queries can be accomplished in some DNS applications without caching locally, DNS forwarding is the method to be used when providing external DNS resolution to internal clients.

Check Content

If the BIG-IP does not have the role of authoritative DNS server, this is not applicable.

From the BIG-IP GUI:
1. DNS.
2. Delivery.
3. Profiles.
4. DNS.
5. Click the name of the profile used for the authoritative listener.
6. Verify the following settings:
a. Use BIND Server on BIG-IP: Disabled
b. DNS Cache: Disabled

If the BIG-IP appliance is not configured to prohibit recursion on authoritative name servers, this is a finding.

Fix Text

If the BIG-IP has the role of authoritative DNS server, then configure as follows.

From the BIG-IP GUI:
1. DNS.
2. Delivery.
3. Profiles.
4. DNS.
5. Click the name of the profile used for the authoritative listener.
6. Configure the following settings:
a. Use BIND Server on BIG-IP: Disabled
b. DNS Cache: Disabled
7. Click "Update".