Last Modified: Dec 15, 2020
See more info
Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0, 12.0.0 HF1, 12.0.0 HF2
12.1.0, 12.0.0 HF3, 11.6.1, 11.5.4 HF2
Opened: Nov 06, 2015
Related AskF5 Article: K80741043
A DNS message may become malformed when its Additional records section contains an OPT record followed by multiple other DNS records. As a result of this issue, you may encounter the following symptom: The BIG-IP system receives properly formed DNS packets but after processing them sends them as malformed DNS packets.
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message. The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last. The RFCs do not restrict a query from containing records in the additional record section of the message. When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.
This issue occurs when all of the following conditions are met: -- Your BIG-IP configuration contains a virtual server with an associated DNS profile. -- The BIG-IP system receives a DNS message that contains an OPT record. -- The DNS message's Additional records section contains multiple other DNS records.
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted. The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers. The subsequent code paths which depend on the OPT record's position now work as expected.