Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.4.0, 11.4.1
Fixed In:
11.5.0, 11.4.0 HF6
Opened: Nov 21, 2013 Severity: 2-Critical Related Article:
K04044741
A site down in cases where the customer DNS server fails to respond or responds slowly.
A site down in cases where the customer DNS server fails to respond or responds slowly.
DNS server fails to respond or responds slowly.
This issue has no workaround at this time.
In order to better protect web applications, and to help prevent the Enforcer from crashing when the DNS server is not available, we made the following changes: -We changed the default in the DNS resolver retries internal parameter (bots_gethost_retry) from 5 to 2. -We added a new internal parameter: trust_search_engine_user_agent. The default is 0. If you turn this on (change this to 1), the user agent is trusted when the DNS server does not function or stops functioning. In this case, for requests identifying themselves as search engine bots, you will not have client-side challenge, and no web scraping mitigation. In addition, the Enforcer will not crash if the DNS server is not responsive.