Forum Discussion
CirrusLTM DNS root reachout on mgmt, disable?
Our security group noted that our LTMs (2000s; v12.0HF1) are sending DNS queries out their mgmt interface that are being blocked by our access controls for that network. It should be noted the environment these devices are in is a closed environment with no allowed access out to the Internet. Upon further review of the DNS reachouts, the LTMs are sending NS requests to the DNS root servers. Its seems to be walking down a root hints list and repeating -- seeing about 25 attempts per minute.
To stop the flooding of deny logs to our security tools, we are trying to determine if there is any way to stop these root server reach outs. We have added our local network DNS resolvers to DNS configuration (System->Configuration->Device->DNS->DNS Server Lookup List) with no change in behavior. We have also reviewed the GTM solutions articles on root hints -- even though we are not running GTM -- and confirmed that recursion is disabled in the named configuration.
Thanks in advance!
Chris
5 Replies
Yann_DesmarestHi,
can you try the following procedure :
in named.conf, under line "
" add the following :recursion no;allow-recursion {“none”;}; additional-from-cache no;Save and restart bind
This sounds like you are running into bug ID567293, the recursive query to the root hints is a dead giveaway; if your firewalling responds with a Port Unreachable it triggers a tight loop that will eventually lead to resource exhaustion - see https://support.f5.com/kb/en-us/solutions/public/k/61/sol61521270.html
Fixed in 12.0 HF3 and onward.
Chris_18457Thanks for the link to the bug. I have reviewed what they observed in the bug, and I dont see the "...out of memory..." logs in /var/log/kern.log. However, I will note that we upgraded our lab 2000s and 10250V clusters to 12.1 (as part of our reoccuring upgrade cycle) and noticed that we no longer see the reachouts on the mgmt interface. So the end results looks to be the same...upgrade (maybe patch with hot fix). Thanks!
This sounds like you are running into bug ID567293, the recursive query to the root hints is a dead giveaway; if your firewalling responds with a Port Unreachable it triggers a tight loop that will eventually lead to resource exhaustion - see https://support.f5.com/kb/en-us/solutions/public/k/61/sol61521270.html
Fixed in 12.0 HF3 and onward.
- Chris_18457Thanks for the link to the bug. I have reviewed what they observed in the bug, and I dont see the "...out of memory..." logs in /var/log/kern.log. However, I will note that we upgraded our lab 2000s and 10250V clusters to 12.1 (as part of our reoccuring upgrade cycle) and noticed that we no longer see the reachouts on the mgmt interface. So the end results looks to be the same...upgrade (maybe patch with hot fix). Thanks!
