Forum Discussion

silver's avatar
silver
Icon for Nimbostratus rankNimbostratus
Apr 01, 2011

Securing the named configuration

Hi,     We are using the GTM and it's behind the firewall and opened port tcp/udp 53.     Can any once suggest how to secure the named configuration and fine tuning methods.     Than...
security
Cspillane_18296's avatar
Cspillane_18296
Icon for Nimbostratus rankNimbostratus
Apr 15, 2011
Hi Silver,

 

 

if you're using the GTM for standard DNS resolution (not just wideip's) I'd recommend version 10.2.1 and HF2 which includes the following:

 

 

BIND had been updated to mitigate the vulnerabilities in CVE-2010-3613 and CVE-2010-3615

 

BIND has been updated to 9.6.3 to address an issue where DNSSEC validation could fail when a new Delegation Signer record is inserted into a trusted DNSSEC validation tree

 

 

You may also find these useful:

 

 

http://support.f5.com/kb/en-us/solutions/public/6000/800/sol6827.html - Disabling the DNS version response on the BIG-IP GTM

 

http://support.f5.com/kb/en-us/solutions/public/7000/000/sol7055.html - Enabling DNS recursion on the BIG-IP GTM system

 

http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6963.html - Managing the BIG-IP BIND configuration file

 

http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7317.html - Overview of port lockdown behaviour

 

 

Hope it helps!