AltostratusHello Folks,
Can anyone help me by sharing use case of having DNS enabled on Self-IP? Since iQuery relies TCP Port 4353, if LTM is in communication with GTM.
In which case it can help to have UDP:Domain enabled on Self-IP?
Cheers! Darshan
AdminThe self-IP usually shares the same IP address with a GTM listener, so if you do not have UDP/TCP port 53 open, no resolutions will occur to your GTM listener as the self-IP restrictions are processed first. If you use a different IP than the self for the GTM listener, it should not be a problem to disable port 53 on the self.
AltostratusHey Jason,
Thank you for your answer. As mentioned as a workaround against BIND vulnerability in F5's Knowledge base, we require to turn off UDP:Domain (i.e. UDP port 53) on self IP address, in order to temporarily fix the vulnerability.
So this means if my LTM is in communication with GTM, and if I disallow UDP:Domain port, my queries will start failing, right? How can we implement the fix against this in that case? https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.html
Any suggestion?
Thank you, Darshan
AdminYou can disable on any selfIP that isn't the gtm listener. For a selfIP that is also the gtm listener, you can follow the recommended steps in that solution or you can attach an irule to the listener to drop tkey requests: (the irule is at the bottom) https://devcentral.f5.com/wiki/iRules.DNS__question.ashx
EmployeeI'd also add that GTM isn't Bind. If you're specifically talking about the DNS listener on your GTM, refer back to the footnotes in that article. GTM is vulnerable if you choose the "Return to DNS" load balancing method.
AltostratusFantastic! This is why DevCentral is always an exclusive knowledge source.
Thank you @Jason / @Kevin!!
NimbostratusMy GTM set up has a self IP as a listener, so I was going to apply the irule to drop tkey requests, however F5 have come back with the following:-
Disabling of port 53 on the self-IP: F5 has advised that although the ip address of self-ip and listener are the same, they both operate at different levels of the F5 OS. The self-ip operates at the linux level while the listener operates at the TMOS software level. Therefore with the recommendations, the config of the selfip will not create a listener on port 53 (directed to daemon bind), but the config of the listener will be created on port 53 and incoming traffic will be processed by F5 software.
Does this sound correct, think I would still be happier applying the irule?
Thanks,
Martin