Bug ID 1075001: Types 64-65 in IPS Compliance 'Unknown Resource Record Type'

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.0.0, 17.0.0.1, 17.0.0.2

Fixed In:
17.1.2, 16.1.5

Opened: Jan 21, 2022

Severity: 3-Major

Symptoms

Protocol Inspection compliance type 'Unknown Resource Record Type' (ID 10002) lists ranges of type ID numbers (62-98, 110-248, 259-32767, 32770-65535) that are considered 'unknown'. The hard-coded ranges include 64 (SVCB) and 65 (HTTPS), which is not accurate for some types of configurations. The inability to specify the ranges in 'Unknown Record Type' may impact some traffic because there are increasing numbers of DNS queries with Type ID of 64 - SVCB and 65 - HTTPS - (still in draft) observed with the introduction of iOS 14 and macOS 11.

Impact

DNS request records with 64 and 65 are blocked. The severity of this impact depends on your traffic.

Conditions

When DNS profile in IPS 'Unknown Resource Record Type' is configured as Rejected.

Workaround

Although there is no workaround, you can install an updated Protocol Inspection IM package (pi_updates_15.1.0-20220215.0652.im or later) from the F5 Downloads site under the ProtocolInspection-LatestUpdate entry on the version-specific downloads page.

Fix Information

AFM administrators can now specify a range of type codes for IPS Compliance 'Unknown Resource Record Type' from the GUI or using tmsh commands: GUI: 1. Go to Security :: Protocol Security: Inspection Profiles. 2. Create a new profile and add the DNS service. 3. In the DNS compliance edit option, search for 10002 id compliance and open it. 4. Add the known_resource_records in the list. 5. Commit the changes. TMSH: 1. Add the known_resource_records: root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# create security protocol-inspection profile dns_rr { services add { dns { compliance add { dns_unknown_resource_record_type { value { known_resource_records { 64 65 }}}}}}} 2. Modify known_resource_records: root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify security protocol-inspection profile dns_rr { services modify { dns { compliance modify { dns_unknown_resource_record_type { value { known_resource_records { 64 65 66 }}}}}}} 3. View the result: root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# list security protocol-inspection profile dns_rr services security protocol-inspection profile dns_rr { services { dns { compliance { dns_unknown_resource_record_type { action accept log yes value "known_resource_records {64 65 66}" } } config none ports { domain { } } signature none status enabled } } }

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips