Bug ID 761231: Bot Defense Search Engines getting blocked after configuring DNS correctly

Last Modified: Dec 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 15.0.0, 15.0.1

Fixed In:
15.1.0, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5

Opened: Mar 14, 2019
Severity: 3-Major
Related AskF5 Article:
K79240502

Symptoms

Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines. A cache is stored for legal / illegal requests to prevent querying the DNS again. This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Impact

Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Conditions

-- Initial misconfiguration of DNS or routing or networking issue. -- Cache stores requests to prevent future queries to DNS. -- Correct the misconfiguration.

Workaround

Restart TMM by running the following command: bigstart restart tmm

Fix Information

The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.

Behavior Change