Forum Discussion

swo0sh_gt_13163's avatar
swo0sh_gt_13163
Icon for Altostratus rankAltostratus
Aug 06, 2015

Why we need to allow DNS on Self IP?

Hello Folks,

 

Can anyone help me by sharing use case of having DNS enabled on Self-IP? Since iQuery relies TCP Port 4353, if LTM is in communication with GTM.

 

In which case it can help to have UDP:Domain enabled on Self-IP?

 

Cheers! Darshan

 

  • The self-IP usually shares the same IP address with a GTM listener, so if you do not have UDP/TCP port 53 open, no resolutions will occur to your GTM listener as the self-IP restrictions are processed first. If you use a different IP than the self for the GTM listener, it should not be a problem to disable port 53 on the self.

     

  • Hey Jason,

     

    Thank you for your answer. As mentioned as a workaround against BIND vulnerability in F5's Knowledge base, we require to turn off UDP:Domain (i.e. UDP port 53) on self IP address, in order to temporarily fix the vulnerability.

     

    So this means if my LTM is in communication with GTM, and if I disallow UDP:Domain port, my queries will start failing, right? How can we implement the fix against this in that case? https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.html

     

    Any suggestion?

     

    Thank you, Darshan

     

  • I'd also add that GTM isn't Bind. If you're specifically talking about the DNS listener on your GTM, refer back to the footnotes in that article. GTM is vulnerable if you choose the "Return to DNS" load balancing method.

     

  • Fantastic! This is why DevCentral is always an exclusive knowledge source.

     

    Thank you @Jason / @Kevin!!

     

  • My GTM set up has a self IP as a listener, so I was going to apply the irule to drop tkey requests, however F5 have come back with the following:-

     

    Disabling of port 53 on the self-IP: F5 has advised that although the ip address of self-ip and listener are the same, they both operate at different levels of the F5 OS. The self-ip operates at the linux level while the listener operates at the TMOS software level. Therefore with the recommendations, the config of the selfip will not create a listener on port 53 (directed to daemon bind), but the config of the listener will be created on port 53 and incoming traffic will be processed by F5 software.

     

    Does this sound correct, think I would still be happier applying the irule?

     

    Thanks,

     

    Martin