Last Modified: Sep 27, 2024
Affected Product(s):
BIG-IP DNS, GTM
Known Affected Versions:
15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4
Opened: Sep 17, 2024 Severity: 3-Major
When answering authoritative queries, the named process (also known as 'bind') does not return the target (for example, 'A' records) related to a cross-zone CNAME between two locally served zones. For example, if BIG-IP is configured with a wideip such as www.gslb.example.org, and a DNS query is sent to it for 'A' records for www.example,org, that query falls through to, and is handled by bind, and bind responds with a CNAME to www.gslb.example,org, then the previous behaviour was that bind would also include the related A records that the CNAME pointed to. When the 'A' record in the reply pass back through BIG-IP DNS, they are rewritten to match the wideip's pool state, so the result passed to the client is the same as if the wideip was the query. A code fix for security improvements in bind version 9.12 and later alters this behaviour so that the 'A' records are no longer populated into the reply, which means the rewrite logic in BIG-IP does not take place, and the CNAME alone is passed back to the DNS client.
Incomplete DNS resolution.
DNS query resolution of CNAME records via BIND.
Instead of using bind to resolve the CNAME, configure BIG-IP to do it. Option 1: Configure the wideip with an alias that it will also respond to. This will return a response (for example an A record) to the client, as if the client had queried the gslb record. tmsh modify gtm wideip a www.gslb.example.org aliases add { www.example.org } Option 2: Create a wideip for the 'www.example.org' record, which points to a CNAME pool, which contains the www.gslb.example.org record, and disable minimal-responses. This method is more complicated, but also more flexible, for example it could be used as a fallback if other 'A' record pools associated with the wideip are unavailable. This method will cause BIG-IP to return both the CNAME and A record in the DNS reply. tmsh create gtm wideip a www.gslb.example.org pools add { gtmpool } tmsh create gtm pool cname CNAME_www.example.org members add { www.gslb.example.org } tmsh create gtm wideip a www.example.org pools-cname add { CNAME_www.example.org } minimal-response disabled
None