Something not right with DNS? Destination unreachable

PeterUK

Before I start its really bugging me that I can't remove default DNS forwarders just saying!

Zywall 110 and VPN300 firmware upto date

This is what I'm see when a PC by DNS to 192.168.53.1 VLAN53 to zywall 110 go to look up a request with DNS forwarder * 192.168.53.2 to my BIND server.

Its like the USG is rate limiting stopping replies getting to it

https://us.v-cdn.net/6029482/uploads/editor/dy/m5j4kiv76dsz.png

mMontana

PeterUK said:

Its like the USG is rate limiting stopping replies getting to it

AFAIK Zyxel firewalls have a "max session par host" setting. Which could be overruled or specified...

PeterUK

The setting “Default session per host” is set to 0 “unlimited” in config >security policy > session control.

Unless there is one for DNS?

mMontana

AFAIK there's anyway a maximum session limit. Did your device reach it?

PeterUK

No? the USG is idle not under that much load when it happens maybe 50 connections if that of DNS the traffic.

You can see the USG makes a request lookup then a reply then USG say port unreachable by ICMP

mMontana

Worth asking, no intention to annoy you.

In the first post was not stated any working condition/load for the device.

PeterUK

mMontana said:

Worth asking, no intention to annoy you.

Who say you are

Just set forwarded to 1.1.1.1 on a USG60 for testing and still the USG randomly sends port unreachable by ICMP to 1.1.1.1

jasailafan

Just curious about the packets. Why 192.168.53.2 reply to port 53795, 42569 and 57317 while no previous packets asking from 192.168.53.1? I guess that's why 192.168.53.1 deny unknown packets. Is your USG behind a nat router?

PeterUK

Their are requests made by 192.168.53.1 you just don't see them all in that snippet. 

Its easy for anyone to show this problem just do a capture in USG for port 53 on the WAN or gateway run lots of web site lookups.

Here is my another by USG60 with forwarder 1.1.1.1
https://us.v-cdn.net/6029482/uploads/editor/8t/z1b1j2h0r6fu.png

PeterUK

PeterUK said:

Its easy for anyone to show this problem just do a capture in USG for port 53 on the WAN or gateway run lots of web site lookups.

Well...Dam so I tried one thing it could be and ...yes that how it being caused to happen I think the issue has to do with the DNS spoofing for WILDCARD FQDN with a bridge.

I will be back with a drawing of how its happening but not sure if it can be solved or if its a problem.

PeterUK

So the problem is at the USG60 end and zywall 110 dose NAT for the USG60 DNS to 1.1.1.1

What I think is happening is the USG60 with a bridge is DNS spoofing from WILDCARD FQDN lookups so that doing DNS through the bridge can see your DNS you are making which is a good thing. But the bit that causing problems is USG60 does a lookup for “a1830.dscg2.akamai.net” from source port 37134 to gateway 192.168.44.1 for 1.1.1.1 this then NAT and same source port is used (which is not a problem) then the reply coming back “a1830.dscg2.akamai.net A 2.22.22.138 A 2.22.22.153 A 2.22.22.104 A 2.22.22.96” but at the same time it NAT back to 192.168.44.3 the bridge on the USG60 sees the same answer and this it where I think the problem happens.

https://us.v-cdn.net/6029482/uploads/editor/2p/lr15ecxsglw1.png