Bug ID 931149: Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP DNS, GTM, LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 17.0.0, 17.0.0.1, 17.0.0.2

Opened: Jul 27, 2020

Severity: 2-Critical

Symptoms

RESOLV::lookup returns an empty string.

Impact

RESOLV::lookup fails.

Conditions

The name being looked up falls into one of these categories: -- Forward DNS lookups in these zones: - localhost - onion - test - invalid -- Reverse DNS lookups for: - 127.0.0.0/8 - ::1 - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - 0.0.0.0/8 - 169.254.0.0/16 - 192.0.2.0/24 - 198.51.100.0/24 - 203.0.113.0/24 - 255.255.255.255/32 - 100.64.0.0/10 - fd00::/8 - fe80::/10 - 2001:db8::/32 - ::/64

Workaround

Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup: 1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver: tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.0.2.1:53 } } } 2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses: proc resolv_ptr_v4 { addr_v4 } { # Convert $addr_v4 into its constituent bytes set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d] if { $ret != 4 } { return } # Perform a PTR lookup on the IP address $addr_v4, and return the first answer set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR] set ret [lindex [DNSMSG::section $ret answer] 0] if { $ret eq "" } { # log local0.warn "DNS PTR lookup for $addr_v4 failed." return } # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com' return [lindex $ret end] } -- In an iRule, instead of: RESOLV::lookup @192.0.2.1 $ipv4_addr Use: call resolv_ptr_v4 $ipv4_addr

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips