Bug ID 1050661: Warning message with UDP on DOH server side.

Last Modified: Oct 04, 2024

Affected Product(s):
BIG-IP DNS(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1

Opened: Sep 29, 2021

Severity: 3-Major

Symptoms

DOH with server side flow using UDP results in a DoH server that is unable to deliver DNS replies larger than 4096 bytes to the DoH client (a truncated (TC) response will be sent instead).

Impact

DNS responses with the TC (truncated) bit are received via the BIG-IP DoH virtual server. Note that this is correct behavior, per RFC8484, for this configuration.

Conditions

1. A DNS profile that has all the internal DNS resolution features turned off (gslb, cache, dns-express, local-bind), so that DNS requests are load balanced to the pool tmsh create ltm profile dns dns-pool-only enable-dns-express no enable-dnssec no enable-gtm no process-rd no use-local-bind no 2. A pool pointing to a DNS server tmsh create ltm pool dns-pool-only members add {x.x.x.x:53} 3. An LTM virtual server that has TCP on the clientside (DoH server) and UDP on the server-side flow. tmsh create ltm virtual vs-doh-server destination x.x.x.x:443 ip-protocol tcp profiles add {doh-server tcp { context clientside } udp_gtm_dns { context serverside } http2 http clientssl-secure dns-pool-only } Trigger by sending a DoH request to the virtual-server for a DNS resource record that is larger than 4096 bytes. A truncated response will be returned to the DoH client. Since the client is already using TCP (and HTTPS) to send the query, it can not retry the query using TCP like a traditional client could do.

Workaround

1. Use TCP on the server-side flow (this is the default if you don't specifically set the serverside to use UDP). The use of TCP will mean that each DNS request requires a TCP 3WHS and 4-way close. (or) 2. Instead of configuring DNS servers as pool members, configure them as forward-zone nameservers for dns-cache, and enable dns cache in the DNS profile. (or) 3. Ensure that the configuration is only used when you can be certain that no replies larger than 4096 bytes will ever be provided by the DNS server (pool member)

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips