Last Modified: May 29, 2024
Affected Product(s):
BIG-IP DNS, LTM, SSLO, SWG
Known Affected Versions:
16.0.0, 15.1.0.5, 14.1.2.7
Fixed In:
16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3
Opened: Oct 29, 2020 Severity: 2-Critical
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries. Subsequent queries for the same domain name, however, work as expected. Only some domain names are affected.
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client. In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver. For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver. - The cache is still empty in regard to the domain name being resolved (for example, TMM has just started). - The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver. 1a. Go to DNS :: Caches :: Cache list. OR 1b. Go to Network :: DNS Resolvers :: DNS Resolver list. 2. Select the item you want to update in the list. 3. Uncheck 'Use IPv6' 4, Select Update. You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.
DNS resolution works as expected, with domains resolving the first time they are queried.