Bug ID 629443: DNS queries meant for local DNS servers are redirected to corporate DNS servers in case of split tunnel

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4

Fixed In:
13.0.0

Opened: Nov 18, 2016
Severity: 3-Major
Related AskF5 Article:
K03751651

Symptoms

DNS queries meant for local DNS servers are redirected to corporate DNS servers in case of split tunnel. This is typically not a problem because DNS servers configured in Network Access in APM probably resolve to all the queries. However, these might fail to resolve some queries if there are DNS servers configured with local entries.

Impact

Some DNS resolutions might fail.

Conditions

-- DNS server and split tunnel are configured in Network Access configuration on APM. -- Tunnel established. -- 'Allow Local DNS servers' is enabled.

Workaround

None.

Fix Information

Local traffic now resolves with local DNS servers when split tunnel is established and 'Allow Local DNS servers' is enabled.

Behavior Change

When 'Allow Local DNS Server' is configured, /etc/resolv.conf now appends local DNS servers (after corporate DNS servers) to allow for local DNS resolution in case resolution fails with corporate DNS servers. In previous releases, the system ignored local DNS servers and passed all DNS resolution to corporate DNS servers. On Linux distributions (e.g., Ubuntu) where resolvconf is managing /etc/resolv.conf and dnsmasq is enabled, the behavior has not changed. Specifically, the system appends 127.0.1.1 to DNS servers configured on the BIG-IP system regardless of the 'Allow Local DNS servers' setting.