Last Modified: Dec 07, 2023
Known Affected Versions:
15.1.0, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 15.1.1, 15.1.2, 18.104.22.168, 15.1.3, 22.214.171.124, 15.1.4, 126.96.36.199, 15.1.5, 188.8.131.52, 15.1.6, 16.1.0, 16.1.1, 16.1.2, 184.108.40.206, 220.127.116.11
17.0.0, 16.1.3, 18.104.22.168
Opened: Mar 01, 2022 Severity: 3-Major
Each time the iRule command RESOLV::lookup is invoked with a different target IP address or internal virtual server, a unique resolver context is created. However, for performance and memory preservation reasons, all ephemeral resolvers are backed by the same set of DNS caches. This means that repeated identical queries to different ephemeral resolvers will always return the answer from the cache that was retrieved by the first ephemeral resolver (until the TTL of the record expires). While this is fine in the traditional use of DNS, this may be problematic in certain specific use-cases. For example, this does not allow for per-user DNS servers to return different results for the same query. This technique could be used by an iRule to retrieve user-specific information to then spin up user-unique virtual environments.
Inability to support specific use-cases in a BIG-IP iRule.
Sending repeated queries for the same FQDN to different ephemeral resolvers (before the TTL expires) and expecting different results back.
Versions with the fix include a new DB key called dnscache.ephemeralsnocache, which defaults to "disable". When set to "disable", the system behaves exactly as in previous releases. When set to "enable", ephemeral resolvers spawned in an iRule by the RESOLV::lookup command no longer cache anything, thus allowing for use-cases similar to the example mentioned under Symptoms.