-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
The BIG-IP DNS/GTM system may be exposed to DNS hijacking
25 November 2020
AusCERT Security Bulletin Summary
Product: BIG-IP DNS
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Revision History: November 25 2020: Vendor added fixed release version
April 9 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
K32518458: The BIG-IP DNS/GTM system may be exposed to DNS hijacking when the
BIG-IP system host name belongs to a public domain name that the BIG-IP owner
does not control
Original Publication Date: 07 Apr, 2018
Latest Publication Date: 25 Nov, 2020
Security Advisory Description
The BIG-IP DNS (formerly known as BIG-IP GTM) system may be exposed to DNS
hijacking when the BIG-IP system host name belongs to a public domain name that
the BIG-IP owner does not control. This issue occurs when all of the following
conditions are met:
o The BIG-IP DNS system is configured with a host name that belongs to a
domain that is either not registered with a domain name registrar or, is
registered and not under the control of the BIG-IP DNS administrator.
o A DNS zone on the affected system contains an NS resource record configured
using the BIG-IP host name. This usually happens if a wide IP is created
for a zone that does not yet exist in the local BIND server. For example,
if you create wide IP www.mynewzone.com, and the mynewzone.com zone does
not already exist in the local BIND server, the BIG-IP DNS system will
automatically create this new zone with an NS resource record using the
BIG-IP host name.
o The BIG-IP DNS system is configured to use the local instance of BIND
server. For example:
A virtual server is associated with a DNS profile enabled with the Use
BIND Server on BIG-IP option (this option is enabled by default for the
A BIG-IP DNS pool uses the Return to DNS load balancing method.
A BIG-IP DNS pool's Alternate and Fallback load balancing methods are
set to None, and all pools associated with the wide IP are unavailable.
An attacker may be able to use the DNS hijacking technique to redirect queries
to a rogue DNS server under the control of the attacker.
As a result of this issue, you may encounter the following symptom:
o The queries for the affected domain are redirected to a rogue DNS server.
Security Advisory Status
F5 Product Development has assigned ID 712653 to this issue. F5 has confirmed
that this issue exists in the products listed in the Applies to (see versions)
box, located in the upper-right corner of this article. For information about
releases, point releases, or hotfixes that resolve this issue, refer to the
|Type of fix |Fixes introduced |Related articles |
| |in | |
|Release |14.1.0* |K2200: Most recent versions of F5 |
| | |software |
|Point release/ |None |None |
|hotfix | | |
* The fix in BIG-IP DNS 14.1.0 introduces a new setting, wideip-zone-nameserver
, which defaults the WideIP zone nameserver to this.name.is.invalid. For
information about this change or how to change this new setting, refer to
K35603050: Configuring the BIG-IP DNS WideIP zone nameserver.
Security Advisory Recommended Actions
If you are deploying a new wide IP, you should configure a DNS zone for the
wide IP using ZoneRunner on the BIG-IP DNS system and ensure the Nameserver
setting of the NS resource record for this zone is using a server name from a
publicly registered domain that you control before proceeding to create the
wide IP. For information about configuring a DNS zone, refer to the Using
ZoneRunner to Configure DNS Zones chapter of the BIG-IP DNS Services:
Note: For information about how to locate F5 product manuals, refer to
K12453464: Finding product documentation on AskF5.
To mitigate this issue on an affected BIG-IP DNS system, you can modify the
host name of the affected system, as well as the NS resource records of the
affected DNS zones, to use a publicly registered domain that you control.
Alternatively, you can disable the Use BIND Server on BIG-IP option in the
affected DNS profile. To do so, perform either of the following procedures:
o Modifying the BIG-IP DNS host name and NS resource records
o Disabling the Use BIND Server on BIG-IP option
Modifying the BIG-IP DNS host name and NS resource records
You can modify the host name of the BIG-IP DNS system and the NS resource
records of the affected DNS zones to use a publicly registered domain that you
control. To do so, perform the following procedure:
Impact of workaround: Depending on the previously configured TTL settings of
the affected zone and/or the TTL settings imposed by upstream providers, the
change may not take effect immediately on the Internet.
1. Log in to the Configuration utility.
2. Go to System > Platform.
3. Modify the Host Name setting with a new host name that uses a publicly
registered domain that you control.
4. Select Update.
5. Go to DNS > Zones > ZoneRunner > Resource Record List.
6. In the View Name setting, select external.
7. In the Zone Name setting, select the affected domain.
8. In the Type setting, select All and select Search. The Configuration
utility displays all resource records relevant to the selected zone.
Note: Steps 9 through 13 assume that you do not have an existing A resource
record for the host name chosen in step 3. If you already have this host
name hosted in another DNS nameserver as an existing A resource record, you
can skip to step 14.
9. Select Create to create a new A resource record for the new host name you
have chosen in step 3.
10. In the Name setting, enter the new host name you have chosen in step 3.
11. In the TTL setting, enter an appropriate value applicable to your
12. Select A for the Type setting, and then enter the public-facing listener IP
address of the BIG-IP DNS system in the IP Address setting.
13. Select Finished to save the new record. The Configuration utility will
display only the A resource records when returning to the Resource Record
List page of the affected zone; to view all resource records, you must
select All for the Type setting and select Search.
14. Select the NS resource record for the affected zone.
15. In the Nameserver setting, enter the new host name.
Note: Ensure that the host name entry includes a trailing period character.
16. Select Update to save the changes.
17. Repeat steps 14 through 16 for any remaining NS resource record for the
Disabling the Use BIND Server on BIG-IP option
You can disable the Use BIND Server on BIG-IP option of the affected DNS
profile. To do so, perform the following procedure:
Impact of workaround: Disabling the BIND server will impact DNS configurations
that either use BIND as a fallback method (Return to DNS) or any non-wide IP
1. Log in to the Configuration utility.
2. Go to either of the following:
DNS > Delivery > Profiles > DNS
Local Traffic > Profiles > Services > DNS
3. Select the affected DNS profile.
4. For the Use BIND Server on BIG-IP option, select Disabled.
5. Select Update to save the changes.
6. Repeat steps 3 through 5 for any remaining affected DNS profiles.
o K51812227: Understanding Security Advisory versioning
o K41942608: Overview of AskF5 Security Advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
o K12453464: Finding product documentation on AskF5
o K17329: BIG-IP GTM name has changed to BIG-IP DNS
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----