Something not right with DNS? Destination unreachable

Options
PeterUK
PeterUK Posts: 2,757  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2022 in Security

Before I start its really bugging me that I can't remove default DNS forwarders just saying!

Zywall 110 and VPN300 firmware upto date

This is what I'm see when a PC by DNS to 192.168.53.1 VLAN53 to zywall 110 go to look up a request with DNS forwarder * 192.168.53.2 to my BIND server.

Its like the USG is rate limiting stopping replies getting to it

https://us.v-cdn.net/6029482/uploads/editor/dy/m5j4kiv76dsz.png


«1

All Replies

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    PeterUK said:

    Its like the USG is rate limiting stopping replies getting to it

    AFAIK Zyxel firewalls have a "max session par host" setting. Which could be overruled or specified...
  • PeterUK
    PeterUK Posts: 2,757  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    The setting “Default session per host” is set to 0 “unlimited” in config >security policy > session control.

    Unless there is one for DNS?


  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    AFAIK there's anyway a maximum session limit. Did your device reach it?
  • PeterUK
    PeterUK Posts: 2,757  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    No? the USG is idle not under that much load when it happens maybe 50 connections if that of DNS the traffic.

    You can see the USG makes a request lookup then a reply then USG say port unreachable by ICMP


  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Worth asking, no intention to annoy you.
    In the first post was not stated any working condition/load for the device.
  • PeterUK
    PeterUK Posts: 2,757  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    mMontana said:
    Worth asking, no intention to annoy you.
    Who say you are :p

    Just set forwarded to 1.1.1.1 on a USG60 for testing and still the USG randomly sends port unreachable by ICMP to 1.1.1.1
  • jasailafan
    jasailafan Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Just curious about the packets. Why 192.168.53.2 reply to port 53795, 42569 and 57317 while no previous packets asking from 192.168.53.1? I guess that's why 192.168.53.1 deny unknown packets. Is your USG behind a nat router?

  • PeterUK
    PeterUK Posts: 2,757  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2022
    Options
    Their are requests made by 192.168.53.1 you just don't see them all in that snippet. 

    Its easy for anyone to show this problem just do a capture in USG for port 53 on the WAN or gateway run lots of web site lookups.

    Here is my another by USG60 with forwarder 1.1.1.1
    https://us.v-cdn.net/6029482/uploads/editor/8t/z1b1j2h0r6fu.png

  • PeterUK
    PeterUK Posts: 2,757  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    PeterUK said:
    Its easy for anyone to show this problem just do a capture in USG for port 53 on the WAN or gateway run lots of web site lookups.

    Well...Dam :/ so I tried one thing it could be and ...yes that how it being caused to happen I think the issue has to do with the DNS spoofing for WILDCARD FQDN with a bridge.


    I will be back with a drawing of how its happening but not sure if it can be solved or if its a problem.


  • PeterUK
    PeterUK Posts: 2,757  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    So the problem is at the USG60 end and zywall 110 dose NAT for the USG60 DNS to 1.1.1.1

    What I think is happening is the USG60 with a bridge is DNS spoofing from WILDCARD FQDN lookups so that doing DNS through the bridge can see your DNS you are making which is a good thing. But the bit that causing problems is USG60 does a lookup for “a1830.dscg2.akamai.net” from source port 37134 to gateway 192.168.44.1 for 1.1.1.1 this then NAT and same source port is used (which is not a problem) then the reply coming back “a1830.dscg2.akamai.net A 2.22.22.138 A 2.22.22.153 A 2.22.22.104 A 2.22.22.96” but at the same time it NAT back to 192.168.44.3 the bridge on the USG60 sees the same answer and this it where I think the problem happens.

    https://us.v-cdn.net/6029482/uploads/editor/2p/lr15ecxsglw1.png



Security Highlight