Bug ID 664344: DNS resolution fails for certain hostnames On Win10 when DNS relay proxy is present and IP filtering engine is enabled for split tunnel config with no DNS include scope.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: May 11, 2017

Severity: 3-Major

Symptoms

DNS resolution fails for hostnames that can be resolved only by internal Network Access DNS. DNS Relay Proxy does not properly forward DNS requests to internal DNS servers when the virtual server is accessed using a hostname. Note: This problem does not occur when the same APM virtual server is accessed by IP address.

Impact

-- DNS resolution does not work for hostnames that can be resolved only by internal Network Access DNS server. -- DNS resolution (using ping or via browser) works for other hostnames that can be resolved by local DNS. -- nslookup does not work for any hostname.

Conditions

-- DNS relay proxy is present. -- IP filtering engine is enabled. -- Split tunnel config with no DNS-include space. -- Access virtual server by hostname. -- Running Microsoft Windows v10.

Workaround

You can use either of the following workarounds: Note: nslookup can be enabled only with workaround #2. 1. While specifying split tunnel configuration, make sure DNS scope is also split by specifying the include DNS scope in the configuration. With this workaround, ping and browser work while accessing hostnames that can be resolved only by internal Network Access DNS. DNS requests received on the physical adapter will be forwarded to the internal Network Access DNS server when the scope pattern matches. 2. This workaround involves modifying the Windows Registry. Note this warning from Microsoft about modifying the registry: "Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk." Add the following key: -- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient -- Set DWORD "EnableMultiHomedRouteConflicts" to 0 (zero). This workaround restores Windows DNS client behavior to pre-Windows 10, so DNS relay proxy will create listeners on loopback for incoming requests, and the driver will redirect DNS requests to the listener on the loopback. The IP filtering engine allows all traffic on loopback, so DNS resolution via ping, browser, and nslookup all work as expected.

Fix Information

Now the Windows Edge Client DNS Relay Proxy service correctly forwards requests to client-local DNS servers if the name resolution is not avilable on the APM-local DNS servers.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips