Bug ID 712653: A GTM global variable has been added to "force invalid NS names" for all auto-generated zones for WideIPs.

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP GTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4

Fixed In:
14.1.0, 14.1.0

Opened: Mar 29, 2018
Severity: 2-Critical
Related AskF5 Article:
K32518458

Symptoms

Fall back to BIND is enabled by default and if the use of the GTM hostname is misunderstood, the device could be exposed to potential DNS hijacking.

Impact

If the device uses an unregistered hostname, a third party could register it and and hijack the domain.

Conditions

GTM automatically creates a zone file using the GTM hostname. If Fall back to BIND is tuned on and the Wide IP goes down, BIND will respond with an answer that has NS records in the authority section.

Workaround

Workaround A: - Change the hostnames on the GTMs to be a label within a domain you own. - Change the NS records in all the autogenerated zones that are not already pointing at a real domain to point at this hostname. Workaround B: - Turn off Fallback to BIND

Fix Information

A GTM global variable has been added to "force invalid NS names" for all auto-generated zones for WideIPs. This variable is enabled by default for security purposes. This must be a gtm global so that it is synced. If this value is "true/enabled" then ".invalid." is appended to the BIG-IP's hostname. (See RFCs 6761 and 2606). This is the recommended way to build DNS names that should not escape into the public domain.

Behavior Change