DNS Traffic from floating IP to public IP of a VIP

Hello,

adding some Likely causes

Health/Service Monitor (DNS monitor) - An LTM monitor configured against the VIP or pool members may be performing DNS queries (UDP/53) from the BIG-IP to validate DNS-based services or check a hostname. Monitors use a self-IP as the source (often the floating self-IP on the VLAN).

ASM / WAF policy or external lookups - Advanced WAF/ASM features (URL classification, reputation lookups, policy validations) can perform DNS queries to check hostnames or third-party reputation services using the BIG-IP’s configured DNS servers.

An iRule or custom script using name resolution - An iRule can call resolve or run commands that cause the BIG-IP to query DNS. Scripts running on the device (cron, custom automation) can do the same.

Hairpin / NAT behavior - If the firewall NATs the public IP to the internal VIP and the BIG-IP is probing that public IP, the packets might be seen as coming to the firewall from the floating IP (source) to the public IP (destination) which is then NATed back to the VIP — making it look like “from BIG-IP → public IP → VIP”.

GTM/DNS - If GTM/DNS is enabled, it will perform DNS traffic. But you said the target is the public IP that NATs to the VIP, so GTM is less likely unless configured oddly.

Please verify if anything listed above affected your traffic

BR
Aswin