The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
An XCCDF Rule
Description
<VulnDiscussion>Hosts that run the name server software must not provide any other services and therefore must be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts must be 53/udp and 53/tcp. Outgoing DNS messages must be sent from a random port to minimize the risk of an attacker's guessing the outgoing message port and sending forged replies. BIG-IP is often used to proxy DNS along with other services. The requirement speaks to the "name server software", but if we are proxying for the name server then we do not need to limit listeners to DNS only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-265985r1024493_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
From the BIG-IP GUI:
1. Local Traffic.
2. Virtual Servers.
3. For any virtual servers listening that are not associated with DNS, check the box next to the virtual server and click "Delete".
4. Click "Delete" again.