K23022557 : The BIG-IP system may respond with the NXDOMAIN status when it receives a DNS query of a certain type on a CNAME wide IP

Security Advisory Description

The BIG-IP system may respond with the NXDOMAIN status when it receives a DNS query on a CNAME wide IP. This issue occurs when all of the following conditions are met:

• The BIG-IP system is configured with a CNAME wide IP.

For example:

test.example.com

• The BIG-IP system is also configured with a DNS Express (DNSX) zone, but it does not have a record for the CNAME wide IP.
• The BIG-IP system receives a DNS query of type MX orANY for the CNAME wide IP.

Impact

DNS cache resolvers that receive the response with the NXDOMAIN status use that response for the entire domain name. As a result, DNS clients that use these DNS cache resolvers for DNS queries of type A/AAAA may receive responses with the NXDOMAIN status until the cache expires.

Symptoms

As a result of this issue, you may encounter one or more of the following symptoms:

• BIG-IP iHealth lists Heuristic H645784 on the Diagnostics >Identified>Medium screen.
• A DNS cache resolver receives a DNS response with the NXDOMAIN status when querying the BIG-IP system for an MX record orANY records of a CNAME wide IP.
• A DNS client receives DNS responses with NXDOMAIN when querying an affected DNS cache resolver for A/AAAA records.