Bug ID 1025497: BIG-IP may accept and forward invalid DNS responses

Last Modified: May 21, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2

Fixed In:
17.1.0, 16.1.4, 15.1.9

Opened: Jun 15, 2021

Severity: 4-Minor

Symptoms

BIG-IP may forward invalid DNS responses to a client if the DNS server provides an invalid response.

Impact

Invalid DNS responses are forwarded to client.

Conditions

BIG-IP configured as a proxy for a misbehaving backend DNS server.

Workaround

None

Fix Information

The 'dns.responsematching' DB variable has been created to prevent forwarding invalid responses. When the DB variable 'dns.responsematching' is enable, DNS responses will be matched by transaction ID, query name, and the client's and server's IP addresses and port numbers.

Behavior Change

The 'dns.responsematching' DB variable has been created to prevent forwarding invalid responses. When the DB variable 'dns.responsematching' is set to enable, DNS responses will be matched by transaction ID, query name, and the client's and server's IP addresses and port numbers.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips