Something not right with DNS? Destination unreachable

PeterUK

My check was wrong I must have did a capture with 53 only and forgot that does not include ICMP so checked again with USG60 WAN disconnected so it does DNS by VLAN443 and still Destination unreachable.

So anyone to test this problem just do a capture in USG for IP forwarder like 1.1.1.1 set in USG on the WAN or gateway run lots of web site lookups.

PeterUK

So hoping Zyxel will relook at this but they are saying its normal  behaviour for the USG to send and block DNS replies with Destination unreachable I have a full packet capture of a simple LAN and WAN by USG60 should anyone from Zyxel like to double check my or their findings.

So whats causes this? well it looks to be caused (but I'm thinking might not be) in windows 11 with Edge browser where client (192.168.255.193) send queries again to the USG (192.168.255.203) under the same source port and Transaction ID and when I do a ip.dst == 172.217.169.40 nothing is found which the client should or might of made a connection too.

Here is a merge of LAN and WAN as to what is happening
https://us.v-cdn.net/6029482/uploads/editor/f7/c7umdh93i5cv.png

CHS

Why the client-192.168.255.193 sent the same DNS requests and used the same Transaction ID & same source port.
When PC sending multiple DNS requests the source port should be random even it queries the same URL. 
You can compare to other PC by sending multiple DNS queries.

C:\nslookup businessforum.zyxel.com 1.1.1.1

PeterUK

CHS said:

Why the client-192.168.255.193 sent the same DNS requests and used the same Transaction ID & same source port.

I don't know but I don't think it the cause I'm using the newest windows 11 with Edge browser the same DNS request used the same Transaction ID & same source port is likely because it didn't receive a reply in 1000ms before trying again and you can see the USG did receive a reply in 10ms yet it dropped it from turning round and sending it to the client.