Bug ID 438577: BD crashes due to non-responsive DNS

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.0 HF6

Opened: Nov 21, 2013
Severity: 2-Critical
Related AskF5 Article:
K04044741

Symptoms

A site down in cases where the customer DNS server fails to respond or responds slowly.

Impact

A site down in cases where the customer DNS server fails to respond or responds slowly.

Conditions

DNS server fails to respond or responds slowly.

Workaround

This issue has no workaround at this time.

Fix Information

In order to better protect web applications, and to help prevent the Enforcer from crashing when the DNS server is not available, we made the following changes: -We changed the default in the DNS resolver retries internal parameter (bots_gethost_retry) from 5 to 2. -We added a new internal parameter: trust_search_engine_user_agent. The default is 0. If you turn this on (change this to 1), the user agent is trusted when the DNS server does not function or stops functioning. In this case, for requests identifying themselves as search engine bots, you will not have client-side challenge, and no web scraping mitigation. In addition, the Enforcer will not crash if the DNS server is not responsive.

Behavior Change