Securing the named configuration

Question

Hi,&nbsp;
&nbsp;We are using the GTM and it's behind the firewall and opened port tcp/udp 53.&nbsp;
&nbsp;Can any once suggest how to secure the named configuration and fine tuning methods.&nbsp;
&nbsp;Thanks in advance.&nbsp;

cspillane_18296 · Answer

Hi Silver, &nbsp;
&nbsp; if you're using the GTM for standard DNS resolution (not just wideip's) I'd recommend version 10.2.1 and HF2 which includes the following: &nbsp;
&nbsp; BIND had been updated to mitigate the vulnerabilities in CVE-2010-3613 and CVE-2010-3615 
&nbsp; BIND has been updated to 9.6.3 to address an issue where DNSSEC validation could fail when a new Delegation Signer record is inserted into a trusted DNSSEC validation tree &nbsp;
&nbsp; You may also find these useful: &nbsp;
&nbsp; http://support.f5.com/kb/en-us/solutions/public/6000/800/sol6827.html - Disabling the DNS version response on the BIG-IP GTM 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/7000/000/sol7055.html - Enabling DNS recursion on the BIG-IP GTM system 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6963.html - Managing the BIG-IP BIND configuration file 
&nbsp;http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7317.html - Overview of port lockdown behaviour&nbsp;
&nbsp; Hope it helps!

Forum Discussion

Securing the named configuration

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

Auditing Security Policy Updates

Minimizing Security Complexity: Managing Distributed WAF Policies

Get Started with WAAP Security Incidents

Multiple Ways to Configure Usage Reporting in NGINX

Avoiding Common iRules Security Pitfalls

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS