Forum Discussion
CirrocumulusDNS Traffic from floating IP to public IP of a VIP
Hello,
I've seen in our Firewall Log udp/53 traffic from the floating IP of an F5 Cluster to the public IP of a Web-Portal behind a VIP, exactly the internal VIP, the public IP is natted on the Firewall to the vip (with a ASM Policy attached).
We've configured our internal DNS Server under System -> Configuration -> DNS.
I've got no Idea, how this traffic is originated.
Any hints?
Thank you
Hello,
adding some Likely causes
Health/Service Monitor (DNS monitor) - An LTM monitor configured against the VIP or pool members may be performing DNS queries (UDP/53) from the BIG-IP to validate DNS-based services or check a hostname. Monitors use a self-IP as the source (often the floating self-IP on the VLAN).
ASM / WAF policy or external lookups - Advanced WAF/ASM features (URL classification, reputation lookups, policy validations) can perform DNS queries to check hostnames or third-party reputation services using the BIG-IP’s configured DNS servers.
An iRule or custom script using name resolution - An iRule can call resolve or run commands that cause the BIG-IP to query DNS. Scripts running on the device (cron, custom automation) can do the same.
Hairpin / NAT behavior - If the firewall NATs the public IP to the internal VIP and the BIG-IP is probing that public IP, the packets might be seen as coming to the firewall from the floating IP (source) to the public IP (destination) which is then NATed back to the VIP — making it look like “from BIG-IP → public IP → VIP”.
GTM/DNS - If GTM/DNS is enabled, it will perform DNS traffic. But you said the target is the public IP that NATs to the VIP, so GTM is less likely unless configured oddly.
Please verify if anything listed above affected your traffic
BR
Aswin
3 Replies
- Aswin_mk
MVP
Hello,
adding some Likely causes
Health/Service Monitor (DNS monitor) - An LTM monitor configured against the VIP or pool members may be performing DNS queries (UDP/53) from the BIG-IP to validate DNS-based services or check a hostname. Monitors use a self-IP as the source (often the floating self-IP on the VLAN).
ASM / WAF policy or external lookups - Advanced WAF/ASM features (URL classification, reputation lookups, policy validations) can perform DNS queries to check hostnames or third-party reputation services using the BIG-IP’s configured DNS servers.
An iRule or custom script using name resolution - An iRule can call resolve or run commands that cause the BIG-IP to query DNS. Scripts running on the device (cron, custom automation) can do the same.
Hairpin / NAT behavior - If the firewall NATs the public IP to the internal VIP and the BIG-IP is probing that public IP, the packets might be seen as coming to the firewall from the floating IP (source) to the public IP (destination) which is then NATed back to the VIP — making it look like “from BIG-IP → public IP → VIP”.
GTM/DNS - If GTM/DNS is enabled, it will perform DNS traffic. But you said the target is the public IP that NATs to the VIP, so GTM is less likely unless configured oddly.
Please verify if anything listed above affected your traffic
BR
Aswin 
kgaiglHello Aswin,
thank you for your explanations, we've indeed some Health-Monitors mith http1.1, also we've some ASM Features.
So it doesn't need any action.
PeteWhiteEmployee
monitor traffic will not source from a floating self-IP. Traffic from a floating self-IP will likely be Automap-originated from a virtual server. Check the pools for that destination address, or check for forwarding virtual servers.
