Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
F5 BIG-IP TMOS DNS Security Technical Implementation Guide
SRG-APP-000516-DNS-000109
The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
An XCCDF Rule
Details
Profiles
Prose
The platform on which the name server software is hosted must be configured to respond to DNS traffic only.
Medium Severity
<VulnDiscussion>Hosts that run the name server software must not provide any other services and therefore must be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts must be 53/udp and 53/tcp. Outgoing DNS messages must be sent from a random port to minimize the risk of an attacker's guessing the outgoing message port and sending forged replies. BIG-IP is often used to proxy DNS along with other services. The requirement speaks to the "name server software", but if we are proxying for the name server then we do not need to limit listeners to DNS only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>