Last Modified: Dec 18, 2024
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.0.0, 17.0.0.1, 17.0.0.2
Fixed In:
17.1.2, 16.1.5
Opened: Jan 21, 2022 Severity: 3-Major
Protocol Inspection compliance type 'Unknown Resource Record Type' (ID 10002) lists ranges of type ID numbers (62-98, 110-248, 259-32767, 32770-65535) that are considered 'unknown'. The hard-coded ranges include 64 (SVCB) and 65 (HTTPS), which is not accurate for some types of configurations. The inability to specify the ranges in 'Unknown Record Type' may impact some traffic because there are increasing numbers of DNS queries with Type ID of 64 - SVCB and 65 - HTTPS - (still in draft) observed with the introduction of iOS 14 and macOS 11.
DNS request records with 64 and 65 are blocked. The severity of this impact depends on your traffic.
When DNS profile in IPS 'Unknown Resource Record Type' is configured as Rejected.
Although there is no workaround, you can install an updated Protocol Inspection IM package (pi_updates_15.1.0-20220215.0652.im or later) from the F5 Downloads site under the ProtocolInspection-LatestUpdate entry on the version-specific downloads page.
AFM administrators can now specify a range of type codes for IPS Compliance 'Unknown Resource Record Type' from the GUI or using tmsh commands: GUI: 1. Go to Security :: Protocol Security: Inspection Profiles. 2. Create a new profile and add the DNS service. 3. In the DNS compliance edit option, search for 10002 id compliance and open it. 4. Add the known_resource_records in the list. 5. Commit the changes. TMSH: 1. Add the known_resource_records: root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# create security protocol-inspection profile dns_rr { services add { dns { compliance add { dns_unknown_resource_record_type { value { known_resource_records { 64 65 }}}}}}} 2. Modify known_resource_records: root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify security protocol-inspection profile dns_rr { services modify { dns { compliance modify { dns_unknown_resource_record_type { value { known_resource_records { 64 65 66 }}}}}}} 3. View the result: root@(test-127)(cfg-sync Standalone)(Active)(/Common)(tmos)# list security protocol-inspection profile dns_rr services security protocol-inspection profile dns_rr { services { dns { compliance { dns_unknown_resource_record_type { action accept log yes value "known_resource_records {64 65 66}" } } config none ports { domain { } } signature none status enabled } } }