Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1
Fixed In:
11.4.1 HF10
Opened: Nov 05, 2015 Severity: 3-Major
DNS messages over TCP passing through a DNS virtual may be marked as corrupt due to a message length miscalculation.
DNS messages over TCP passing through a DNS virtual may be marked as corrupt due to a message length miscalculation.
A virtual must have a DNS profile assigned, a DNS message must be exactly two bytes longer than a multiple of the TCP segment size, and the TCP stack on the DNS client or resolver must bundle the first two bytes (the TCP message length) with the message in the first TCP segment.
Use UDP with EDNS instead of TCP if possible. Alternatively, adjust the TCP MSS setting by a few bytes for the DNS virtual.
The DNS message length is now correctly calculated.