STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 6 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

F5 BIG-IP TMOS DNS Security Technical Implementation Guide

Version

V1R1

Release Date

Sep 9, 2024

SCAP Benchmark ID

F5_BIG-IP_TMOS_DNS_STIG

Total Checks

12

Tags

other
CAT I: 2CAT II: 10CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (12)

V-265980MEDIUMThe F5 BIG-IP DNS implementation must prohibit recursion on authoritative name servers.V-265981MEDIUMThe validity period for the RRSIGs covering a zone's DNSKEY RRSet must be no less than two days and no more than one week.V-265982MEDIUMAn authoritative name server must be configured to enable DNSSEC Resource Records.V-265983MEDIUMPrimary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers.V-265984MEDIUMThe F5 BIG-IP DNS must use valid root name servers in the local root zone file.V-265985MEDIUMThe platform on which the name server software is hosted must be configured to respond to DNS traffic only.V-265986HIGHThe digital signature algorithm used for DNSSEC-enabled zones must be set to use RSA/SHA256 or RSA/SHA512.V-265987MEDIUMThe F5 BIG-IP DNS server implementation must validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer).V-265988MEDIUMA BIG-IP DNS server implementation must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries.V-265989MEDIUMThe validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week.V-265990HIGHThe F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.V-265991MEDIUMThe F5 BIG-IP DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.