Last Modified: Sep 14, 2023
BIG-IP DNS, GTM, LTM
Known Affected Versions:
18.104.22.168, 22.214.171.124, 13.1.4, 126.96.36.199, 13.1.5, 188.8.131.52, 184.108.40.206, 220.127.116.11, 14.1.3, 18.104.22.168, 14.1.4, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 14.1.5, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 15.1.1, 15.1.2, 22.214.171.124, 15.1.3, 126.96.36.199, 15.1.4, 188.8.131.52, 15.1.5, 184.108.40.206, 15.1.6, 220.127.116.11, 15.1.7, 15.1.8, 18.104.22.168, 22.214.171.124, 15.1.9, 126.96.36.199, 15.1.10, 16.1.0, 16.1.1, 16.1.2, 188.8.131.52, 184.108.40.206, 16.1.3, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 16.1.4
Opened: Dec 04, 2020 Severity: 3-Major
- A DNS Cache (or Network DNS Resolver) returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers. - When this happens, the BIG-IP system rejects the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable). - If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs: debug tmm: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point - If a Network DNS Resolver is used with an HTTP Explicit Proxy profile, the symptoms can appear as "503 Service Unavailable" responses to clients due to DNS lookup failure.
Clients of the BIG-IP DNS Cache (or Network DNS Resolver) are not returned an answer. As a result, application failures may occur.
This issue occurs when the following conditions are met: - A DNS Cache (or Network DNS Resolver) is in use on the BIG-IP system. - The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions. - The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain. - 'Randomize Query Character Case' is enabled in the DNS Cache (or Network DNS Resolver). - If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Cache (or Network DNS Resolver) settings.
The nameserver-min-rtt can now have a setting of unbound which sets the minimum RTT with upstream servers for both net resolver and cache resolver. Increase this value if using forwarders needing more time to do recursive name resolution. The default value is 50ms.
The nameserver-min-rtt setting is now available. This setting sets the minimum RTT with upstream servers for both net resolver and cache resolver objects. Increase this value if using forwarders needing more time to do recursive name resolution. The default value is 50ms.