Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP GTM
Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1
Fixed In:
14.1.0, 14.1.0
Opened: Mar 29, 2018 Severity: 2-Critical Related Article:
K32518458
Fall back to BIND is enabled by default and if the use of the GTM hostname is misunderstood, the device could be exposed to potential DNS hijacking.
If the device uses an unregistered hostname, a third party could register it and and hijack the domain.
GTM automatically creates a zone file using the GTM hostname. If Fall back to BIND is tuned on and the Wide IP goes down, BIND will respond with an answer that has NS records in the authority section.
Workaround A: - Change the hostnames on the GTMs to be a label within a domain you own. - Change the NS records in all the autogenerated zones that are not already pointing at a real domain to point at this hostname. Workaround B: - Turn off Fallback to BIND
A GTM global variable has been added to "force invalid NS names" for all auto-generated zones for WideIPs. This variable is enabled by default for security purposes. This must be a gtm global so that it is synced. If this value is "true/enabled" then ".invalid." is appended to the BIG-IP's hostname. (See RFCs 6761 and 2606). This is the recommended way to build DNS names that should not escape into the public domain.