Bug ID 720045: IP fragmented UDP DNS request and response packets dropped as DNS Malformed

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1

Fixed In:
14.1.0, 14.0.0, 13.1.1.2

Opened: May 14, 2018
Severity: 2-Critical

Symptoms

AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.

Impact

AFM/DHD incorrectly treats such packets as DNS malformed and drops them. If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.

Conditions

-- AFM/DHD is enabled (provisioned and licensed). -- DNS Malformed vector is enabled at Device context (by default, it's always enabled). -- AFM/DHD receives fragmented IP packet for UDP DNS request or response.

Workaround

None.

Fix Information

This issue is now fixed, as follows: a) For IP fragmented UDP DNS request packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section. - If this information is available in the first IP fragment, AFM processes the packet for further DoS checks. - If this information is not available in first IP fragment, AFM drops the fragment as DNS Malformed. b) For IP fragmented UDP DNS response packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section. - If this information is available in the first IP fragment, AFM processes the packet for further DOS checks. - If, however, this information is not available in first IP fragment, default behavior is that AFM allows such fragmented DNS response packet through. This behavior can be changed to drop incomplete IP fragmented DNS response packet by setting db variable 'Dos.dns.respfrag.allow' to 'false'.

Behavior Change