HTTP error 503, DNS lookup failed

I have this exact error and have been grappling with it all week. DNS is in place and resolves all hostnames. Our Oauth traffic uses route domain 0 to reach Azure with no issues. We've tried both a non-default partition and Common partition. Tested nslookup from CLI and everything seems fine.

Does the DNS resolver need have Forwad zones in place? My DNS resolver IPs are the same DNS servers as the main BigIP. When we do try to create a Forwad Zone and use (.) as a forwad zone we get an error  "nullGeneral database error." Does this need to be configured only on cli?

"OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/AzureAD_Server' using 'authorization_code' grant type (client_id=XXXXXXXXXXXXXXXXXXXXXX), error: HTTP error 503, DNS lookup failed.

I have tried everything recommended in this link - Error Message: 01490290:3: OAuth Client: failed for server error: HTTP error 503 <error message> (f5.com) regarding the DNS resolver

Why would we still get this error despite DNS working fine on the BigIP? Does i matter that I see 100% Misses in the DNS Resolver client cache?

Control plane traffic, like bash or tmsh, will use the management interface, yes.  Is the management DNS not set to recurse? If it CAN recurse, then it can get an IP for the name and, as long as the front-side APM interface has a route to that IP, you should be good.

Some DNS admins shut off or restrict recursion because recursive DNS is VERY easy to overwhelm, externally via NXDOMAIN attacks, and can really easily shut down internal DNS resources. I've known lots of internal DNS admins who have an allowlist of domains to trust for recursion - like OKTA makes total sense - but they need to populate that allowlist, usually by some IT request or such.

Also, I'm assuming you did this already: https://my.f5.com/manage/s/article/K13205

For what it's worth, I was able to resolve this by adding a forwarding zone to my defined DNS Resolver.