LTM DNS root reachout on mgmt, disable?

Question

Our security group noted that our LTMs (2000s; v12.0HF1) are sending DNS queries out their mgmt interface that are being blocked by our access controls for that network.  It should be noted the environment these devices are in is a closed environment with no allowed access out to the Internet.  Upon further review of the DNS reachouts, the LTMs are sending NS requests to the DNS root servers.  Its seems to be walking down a root hints list and repeating -- seeing about 25 attempts per minute.&nbsp;
To stop the flooding of deny logs to our security tools, we are trying to determine if there is any way to stop these root server reach outs.  We have added our local network DNS resolvers to DNS configuration (System-&gt;Configuration-&gt;Device-&gt;DNS-&gt;DNS Server Lookup List) with no change in behavior.  We have also reviewed the GTM solutions articles on root hints -- even though we are not running GTM -- and confirmed that recursion is disabled in the named configuration.&nbsp;
Thanks in advance!&nbsp;
Chris&nbsp;

yann_desmarest · Answer

Hi,
can you try the following procedure : 
in named.conf, under line "recursion no;" add the following :
allow-recursion {“none”;}; 
additional-from-cache no;

Save and restart bind

aaron_brailsfor · Answer

This sounds like you are running into bug ID567293, the recursive query to the root hints is a dead giveaway; if your firewalling responds with a Port Unreachable it triggers a tight loop that will eventually lead to resource exhaustion - see https://support.f5.com/kb/en-us/solutions/public/k/61/sol61521270.html&nbsp;
Fixed in 12.0 HF3 and onward.&nbsp;

aaronjb · Answer

This sounds like you are running into bug ID567293, the recursive query to the root hints is a dead giveaway; if your firewalling responds with a Port Unreachable it triggers a tight loop that will eventually lead to resource exhaustion - see https://support.f5.com/kb/en-us/solutions/public/k/61/sol61521270.html&nbsp;
Fixed in 12.0 HF3 and onward.&nbsp;

chris_18457 · Answer

Thanks for the link to the bug.  I have reviewed what they observed in the bug, and I dont see the "...out of memory..." logs in /var/log/kern.log.  However, I will note that we upgraded our lab 2000s and 10250V clusters to 12.1 (as part of our reoccuring upgrade cycle) and noticed that we no longer see the reachouts on the mgmt interface.  So the end results looks to be the same...upgrade (maybe patch with hot fix).  Thanks!

chris_18457 · Answer

Thanks for the link to the bug.  I have reviewed what they observed in the bug, and I dont see the "...out of memory..." logs in /var/log/kern.log.  However, I will note that we upgraded our lab 2000s and 10250V clusters to 12.1 (as part of our reoccuring upgrade cycle) and noticed that we no longer see the reachouts on the mgmt interface.  So the end results looks to be the same...upgrade (maybe patch with hot fix).  Thanks!

Forum Discussion

LTM DNS root reachout on mgmt, disable?

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

Mgmt monitor issue

Disabling Weak Ciphers

https://{{host}}/mgmt/shared/telemetry/info returns 404

Disabling Specific Weak Cipher Suites

Why use mgmt port to monitor ?