Last Modified: Jul 23, 2025
Affected Product(s):
BIG-IP DNS
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1
Opened: Feb 22, 2025 Severity: 3-Major
When a DNS profile is configured with both Secondary DNS64 (with a prefix) and a resolver cache, any response from an authoritative server to a AAAA query with RCODEs such as SERVFAIL or SERVFAIL(Timeout due to no response from external resolver), FORMERR, NOTIMP, REFUSED, YXRRSET, NXRRSET, YXDOMAIN , NOTAUTH, or NOTZONE will be cached as SERVFAIL and sent directly to the client.
SERVFAIL response is directly send back to the client
- DNS64 enabled in the DNS profile - DNS resolver cache configured
None
None