Last Modified: Sep 04, 2024
Affected Product(s):
BIG-IP DNS, GTM, LTM
Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1
Fixed In:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5, 11.6.5.3
Opened: Feb 09, 2017 Severity: 3-Major Related Article:
K23022557
Query of "MX" or "any" RR type to a CNAME wide IP results in a NXDOMAIN reply
Depending on the configuration of a BIG-IP DNS device and the back end DNS server, an 'NXDOMAIN' response may be provided to the requesting client, despite a wideip partially matching the query (matching with a different RR type) The DNS "NXDOMAIN" response code (rcode) indicates that the DNS server holds no records of any type for the specified query. For example, a query for type 'A' records for www.example.com will return NXDOMAIN if the back end DNS server is authoritative for example.com, and there are no RRs of any type for www.example.com. By contrast, the DNS "NODATA" response (NODATA is indicated by a result code of 'NOERROR' and zero ANSWER records) indicates that the DNS server holds some data for that query, but not of the type requested (for example, a 'A' record exists, but the query was for 'TXT') Cache resolvers will remember a NXDOMAIN for all record types related to DNS query, for example if a query for type 'A' returns NXDOMAIN from the back end DNS sever, DNS express will return NXDOMAIN not only for further type 'A' queries, but also for any other resource record type, such as 'AAAA' or 'MX' or 'TXT' etc. In a situation where BIG-IP DNS has configuration for a wideip of a different type than was queried, but the back end DNS server holds no records, then the back end DNS server will correctly respond with NXDOMAIN, and the BIG-IP will pass that response to the client, despite the wideip of a different type existing in the config. This NXDOMAIN response may then be cached further upstream, causing queries for all types of records for that particular query, to return NXDOMAIN, and future queries for the wideip will be answered by the cache, for the negative-cache duration, and not even make it to the BIG-IP DNS listener.
A 'CNAME' Wide IP, and a DNS Express zone for the parent zone. For example, CNAME wide IP for "www.siterequest.com" and a DNS Express zone for "siterequest.com"
In versions of BIG-IP software that do not have a fix for the issue, the BIG-IP device can be configured to prevent a NXDOMAIN response being sent to the client. Option 1: Create a dummy "www.siterequest.com" TXT record in ZoneRunner with the same name - this causes the query to be answered by zonerunner (bind). Option 2: Create a ltm virtual server iRule, which conditionally alters the rcode to be 'NOERROR": when DNS_RESPONSE { if { [DNS::question name] eq "www.siterequest.com" } { if { [DNS::header rcode] eq "NXDOMAIN" } { DNS::header rcode NOERROR DNS::authority clear return } } }
In 16.1.0 and later, a 'gtm global-settings general allow-nxdomain-override' configuration setting has been added to allow configuring the BIG-IP DNS system to respond with a NOERROR response. In versions below 16.1.0 where this issue is fixed, there is a new DB key, 'gtm.allownxdomainoverride', which enables this configuration. Note that this feature is not available for wildcard wideips. If DNS requests handledd by wildcard wideips need to return a NOERROR response, an irule will need to be used to make the change to the result code.