Last Modified: Jul 27, 2021
See more info
BIG-IP DNS, GTM, LTM
Known Affected Versions:
13.1.0, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 13.1.1, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 13.1.3, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 13.1.4, 220.127.116.11, 14.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 14.1.2, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 14.1.3, 22.214.171.124, 14.1.4, 126.96.36.199, 188.8.131.52, 184.108.40.206, 15.1.0, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 15.1.1, 15.1.2, 184.108.40.206, 15.1.3, 220.127.116.11, 16.1.0
Opened: Dec 04, 2020
- A DNS cache (or net dns-resolver) returns SERVFAIL responses to clients, despite the BIG-IP system receiving a good (albeit delayed) response from upstream servers. - When this happens, the BIG-IP system can be seen reject the responses from the upstream servers with ICMP errors (Destination unreachable - Port unreachable). - If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs: debug tmm: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point If a net dns-resolver is used with an http explicit proxy, the symptoms can appear as "503 Service Unavailable" due to DNS lookup failure.
Clients of the BIG-IP DNS cache are not returned an answer. As a result, application failures may occur.
This issue occurs when the following conditions are met: - A DNS cache is in use on the BIG-IP system. - The DNS cache is configured with a forward-zone that uses multiple servers to perform resolutions. - The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain. - 'Randomize Query Character Case' is enabled in the DNS cache. If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS cache or net dns-resolver settings.