Bug ID 621239: Certain DNS queries bypass DNS Cache RPZ filter.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP DNS, LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2

Fixed In:
13.0.0, 12.1.2 HF1, 11.6.1 HF2

Opened: Oct 07, 2016
Severity: 3-Major

Symptoms

A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.

Impact

Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.

Conditions

A DNS Cache configured with RPZ.

Workaround

None

Fix Information

The DO-bit is now ignored with respect to RPZ filtering.

Behavior Change