| Finding ID |
Severity |
Title |
Description |
|
V-265990
|
High |
The F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers. |
DNS is a fundamental network service that is prone to various attacks, such as cache poisoning and man-in-the middle attacks.
If communication sessions are not provided appropriate validity protections, such as the employment of DNSSEC, the authenticity of the data cannot be guaranteed. |
|
V-265986
|
High |
The digital signature algorithm used for DNSSEC-enabled zones must be set to use RSA/SHA256 or RSA/SHA512. |
The choice of digital signature algorithm will be based on recommended algorithms in well-known standards. NIST's Digital Signature Standard (DSS) (FIPS186) provides three algorithm choices:
- Digital Signature Algorithm (DSA);
- RSA;
- Elliptic Curve DSA (ECDSA).
Of these three algorithms, RSA and DSA are more widely available, and hence... |
|
V-265991
|
Medium |
The F5 BIG-IP DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. |
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
In the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the... |
|
V-265989
|
Medium |
The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no less than two days and no more than one week. |
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses.... |
|
V-265988
|
Medium |
A BIG-IP DNS server implementation must provide additional data origin artifacts along with the authoritative data the system returns in response to external name/address resolution queries. |
The underlying feature in the major threat associated with DNS query/response (e.g., forged response or response failure) is the integrity of DNS data returned in the response. The security objective is to verify the integrity of each response received. An integral part of integrity verification is to ensure that valid... |
|
V-265987
|
Medium |
The F5 BIG-IP DNS server implementation must validate the binding of the other DNS server's identity to the DNS information for a server-to-server transaction (e.g., zone transfer). |
Validation of the binding of the information prevents the modification of information between production and review. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Validations must be performed automatically.
DNSSEC and TSIG/SIG(0) technologies are not effective unless the digital signatures they generate are... |
|
V-265985
|
Medium |
The platform on which the name server software is hosted must be configured to respond to DNS traffic only. |
Hosts that run the name server software must not provide any other services and therefore must be configured to respond to DNS traffic only. In other words, the only allowed incoming ports/protocols to these hosts must be 53/udp and 53/tcp. Outgoing DNS messages must be sent from a random port... |
|
V-265984
|
Medium |
The F5 BIG-IP DNS must use valid root name servers in the local root zone file. |
All caching name servers must be authoritative for the root zone because, without this starting point, they would have no knowledge of the DNS infrastructure and thus would be unable to respond to any queries. The security risk is that an adversary could change the root hints and direct the... |
|
V-265983
|
Medium |
Primary authoritative name servers must be configured to only receive zone transfer requests from specified secondary name servers. |
Authoritative name servers (especially primary name servers) must be configured with an allow-transfer access control substatement designating the list of hosts from which zone transfer requests can be accepted. These restrictions address the denial-of-service (DoS) threat and potential exploits from unrestricted dissemination of information about internal resources. Based on the... |
|
V-265982
|
Medium |
An authoritative name server must be configured to enable DNSSEC Resource Records. |
The specification for a digital signature mechanism in the context of the DNS infrastructure is in IETF's DNSSEC standard. In DNSSEC, trust in the public key (for signature verification) of the source is established not by going to a third party or a chain of third parties (as in public... |
|
V-265981
|
Medium |
The validity period for the RRSIGs covering a zone's DNSKEY RRSet must be no less than two days and no more than one week. |
The best way for a zone administrator to minimize the impact of a key compromise is by limiting the validity period of RRSIGs in the zone and in the parent zone. This strategy limits the time during which an attacker can take advantage of a compromised key to forge responses.... |
|
V-265980
|
Medium |
The F5 BIG-IP DNS implementation must prohibit recursion on authoritative name servers. |
A potential vulnerability of DNS is that an attacker can poison a name server's cache by sending queries that will cause the server to obtain host-to-IP address mappings from bogus name servers that respond with incorrect information. Once a name server has been poisoned, legitimate clients may be directed to... |
