F5BigIpsPolicy Compliance Checks

The F5BigIpsPolicy Custom Resource (CR) supports the following compliance checks. You can select the compliance check to view the available configuration options:

Configurable

The compliances listed below enable custom configurations.

  • dns_disallowed_query_type - Disallowed DNS Query Type as per configuration.
  • dns_disallowed_resource_records - Disallowed Resource Records types as per the configuration.
  • dns_experimental_resource_records - Experimental Resource Records as per configuration.
  • dns_obsolete_resource_records - Indicates Resource Record types that have either been dropped or replaced by newer Resource Records as per configuration.
  • dns_domains_blacklist - Match domain from DNS request against blacklist of domains as per the configuration.
  • dns_maximum_reply_length - Reply length (in bytes) exceeds the configured value.
  • dns_maximum_request_length - Request length (in bytes) exceeds the configured value.
  • dns_rdata_overflow - RDATA length (in bytes) exceeds the configured value.
  • dns_unknown_resource_record_type - Resource Record Type IDs match the ranges 62-98, 110-248, 259-32767, 32770-65535.

Non-configurable

The compliances listed below specify static configurations.

  • dns_malformed_pdu - DNS protocol over SCTP transport is expected to begin with two-octet length field, otherwise Malformed DNS PDU will be raised. Disabling this compliance check or changing action to accept might cause unstable behavior and put your system at risk.
  • dns_illegal_query_flags - For opcode 0 (Standard Query) - RD and CD flags are valid, for opcode 4 (Notify) - RD, CD and AA flags are valid. All others are considered illegal.
  • dns_invalid_query_type - As per RFC 6895, 1035 - opcodes 0, 1, 2, 4, 5 are valid. All others are considered invalid.