Bug ID 1070737: AFM does not detect NXDOMAIN attack at virtual context when DNS cache is activated.

Last Modified: Apr 24, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,

Fixed In:

Opened: Dec 29, 2021

Severity: 3-Major


When the DNS cache is activated, the NXDOMAIN DoS vector does not increase for the virtual server context. As a result, NXDOMAIN flood attack is never detected/mitigated at the virtual server context. Note this does not happen with other vectors like DNS A query flood attack, only for NXDOMAIN.


NXDOMAIN flood attack is never detected/mitigated at virtual server context.


Issue is only seen When DNS cache is activated and for NXDOMAIN Dos Vector.



Fix Information

Unbound is used to do the DNS query and the BIG-IP self IP is used to do the query instead of the listener at the server-side when DNS Cache is Enabled. DOS on connflow is also done at the client-side egress when DNS Cache is enabled in case of NXDOMAIN.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips