cancel
Showing results for 
Search instead for 
Did you mean: 

Can the F5 APM API Protection profile use for a DNS resolver a local F5 DNS/GTM listener VS?

Hello,

 

Can the F5 APM API Protection profile use for a DNS resolver a local F5 DNS/GTM listener VS?

 

My question comes from that that I have APM and the DNS modules on the same F5 APM device and the F5 API Protection seems to not work but the logs show that that the API Protection profile per request policy is allowing my traffic so I am starting to think that the provided DNS resolver that is using an IP address that is a DNS lisener on the same box is the issue as the connection times out.

 

I did a tcpdump so the F5 never tries to contact the virtual servers or real servers that are used as API Protection servers attached to the paths and real servers are layer 2 connected and VS servers are on the F5 itself so it is not network or other connection issue as F5 just does not try to reach them at all so if it is not Per Request Policy or Network/firewall/connection issue then I am suspecting DNS issue as in the API Protection profile you need to specify URL/URI and can't use an IP address for the servers so this is why the DNS resolver should resolve the DNS FQDN names.

 

I think that the issue could be the same as like when I do a dig command from the F5 device and select the lisener as a DNS server I get the error "reply from an unexpected source 127.0.0.1" as the F5 device is basically asking itself for a DNS resolution and maybe the F5 DNS Resolver is having a similar issue. With a dig command from the F5 device I can specify 127.0.0.1 and I get the Wide-IP or zone runner DNS records but the DNS resolver does not accept 127.0.0.1 as a name server.

 

https://support.f5.com/csp/article/K12140128

 

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-access-policy-manager-api-protection-14-1-0/protec...

 

 

 

6 REPLIES 6

Zdravo Niki,

I am pretty sure this won't work. API Protection is using a combination of HTTP methods and URIs to build a so called "path". Once a client is accessing this path, the APM will respond (for example with HTTP status 429 Too many requests). However, it's all HTTP.
api_protection.png

DNS Requests are... not HTTP. Hence API Protection won't do anything to them.

DoH might be a different story....

Pozdrav
Daniel

Hello @Daniel_Wolf  I agree that this is not for DNS but HTTP traffic as I am not trying to do API Protection for a DNS traffic but web traffic but I think that the DNS resolver in the API protection still needs to do the DNS resolution on the server objects that are configured and related to each URI/Path before sending the HTTP/HTTPS traffic to the servers and as I am using the same F5 box for DNS resolution where the F5 APM API protection is located I think I am hitting a wall with this rare case where the DNS server in the DNS resolver is not an external DNS server but a local DNS lisener.

 

 

I could be wrong as I just started playing with API Protection but as the DNS resolver is a requered object in the API Protection profile and for the server objects you can't add directly just the server IP address  but it should something like http://x.x.x.x/ this is why I think the DNS resolution just does not work when trying to make the DNS call as F5 will reply to itself using the loopback and this be the issue.

 

I think I saw similar issue  in a Advanced WAF Bot defense profile long ago for a DNS resolver having an IP address of a DNS virtual server/lisener as the configured DNS server on the same F5 box where the WAF was located.

I created a WIDE IP and now when I do a dig from the F5 device for resolution I get a DNS resolution as it seems that in this case the loopback does not reply to the DNS requests  and it works for a dig command from the f5 device itself but for the DNS resolver using Wide-IP and not Bind/Zoneruner it still did not work. In the APM debug logs I match an Allow action for the per request policy and everything seems to be configured correctly but I see no HTTP/REST-API traffic send to the backend server from the F5 device and the connection is reset when I connect to the F5 VS where the API Prorection profile is attached.

 

I did a tcpdump on the lisener ip and port 53 to see the DNS Network resolver DNS traffic and I see that the DNS Network resolver seems to get the reply from the loopback address even for a Wide-IP FQDN, so it seems there is no workaround for DNS Network resolver to use a local DNS Lisener VS as a DNS server.

 

The issue could be something else but I may try in the future to use an external DNS server for the F5 DNS Network resolver that the F5 API Protection uses as to exclude it as the issue


192.168.1.55.domain > tmm0.48074: [bad udp cksum 0x4238 -> 0xbfdf!] 39544*- q: A? WIdEIP1.xxxxx. 1/0/1 WIdEIP1.xxxxxx. [30s] A 10.1.1.33 ar: . OPT UDPsize=4096 DO (61) out slot1/tmm0 lis=/Common/DNS1 port=loopback trunk=

 

port=loopback trunk=

 

 

 

By the way @Daniel_Wolf in your example picture you are using a default server object and this is why you do not have an attached servers under the API Protection Paths right?

Hi @Nikoolayy1,

in my case I am indeed not using a Default Server, I use the pool assigned to the virtual. However, the DNS Resolver would be used to resolve the names of the API server(s), if I had any.

So you are saying in your setup the API Protection profile cannot use the Virtual IP configured on the same box for DNS resolution? 

KR
Daniel

Hi, I think this is the issue but I have to test.

With a local pool like you Daniel it works like a charm but after using an external DNS for resolution and attaching Automap under the VS as for some servers it is needed it got better but still many issues. My connection no longer resets and I get a proper error 403 code but I feel that that there are still too many issues 🙂

 

Enough for today.