Bug ID 672491: net resolver uses internal IP as source if matching wildcard forwarding virtual server

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1

Fixed In:
14.0.0, 13.1.3.2, 12.1.3.6, 11.6.5.3

Opened: Jul 05, 2017

Severity: 3-Major

Related Article: K10990182

Symptoms

If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source. Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.

Impact

Failed DNS queries as a result of incorrect source IP address.

Conditions

When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.

Workaround

None.

Fix Information

This issue was resolved by ensuring listener lookup only matches the exact IP addresses, no-wildcards.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips