Symptoms

- F5 Stonewall service for Windows does not consider the state of the client DNS cache while resolving names in the exclusion list. - The Stonewall service always makes a DNS query on the wire to resolve exclusion hostnames.

Impact

- Other applications running on the machine perform DNS resolution via the Windows DNS Client service which may provide answers from the cache it maintains. Since F5 Stonewall service does not consider the state of the cache, it may maintain a different set of IP addresses as part of the DNS resolution. - In this case, traffic to the IP addresses from the DNS Client cache may be blocked.

Conditions

- Locked mode client has hostname exclusions. - DNS server responds with different IP address/addresses at times, for a given hostname from the exclusions.

Workaround

N/A

Fix Information

Now, the default behavior of Stonewall has changed: Stonewall service for Windows combines the DNS resolution answers from the system cache along with the ones from a query to the system configured DNS servers.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips