Zyxel USG Flex 200 DNS Routing Issue

Philodendrin

We support a small office that's using a USG Flex 200 in front of a Comcast Business modem (Comast is ISP). The customer has no on-site server, so the USG Flex 200 serves DNS and DHCP. 

We've had relatively few issues, but today we ran into something weird. The customer reported that their broadband was down and sent most staff home since no one could work. When we went to check their connectivity, we saw that the firewall was reachable remotely, so we jumped on and noted that broadband  connectivity to the firewall was fine. Yet, user's claimed that they still couldn't connect to the Web, so we started looking at DNS settings. 

The Flex 200's DHCP settings listed the Zyxel as the first DNS server, and then Comcast's DNS servers as the second and third. Under System - DNS - Domain Zone Forwarder, we have the same two Comcast DNS servers listed as Public DNS servers, queried via WAN1. WAN1 is connected to the Comcast modem. All pretty straightforward and normal, from my perspective. 

When we ran an Ipconfig /all command from a workstation on the LAN, everything DNS related matched what we had setup in DHCP. But, the workstation couldn't resolve any sites. 

If we removed the Zyxel as the first DNS server from the DHCP server configuration on the Zyxel, renewed the workstation's IP, and re-tested, the workstation was able to browse the Web just fine. But, we're not sure why that would be any different than having the workstation look at the Flex 200 for its DNS info, rather than the Comcast servers. It should all resolve the same. 

PeterUK

Their is something not 100% with doing DNS to Zyxel but I can't seem to get them to look into it.

Can you do a packet capture on the WAN for ICMP and see if your sending out Destination unreachable (Port unreachable).

Zyxel_James

Hello @Philodendrin,

Welcome to Zyxel community!

To check the cause, we need packets captured on WAN/LAN interface of USG FLEX 200, and the screenshots of your settings(DHCP DNS, domain zone forwarder) too.

You can contact me through private message, thank you.

James

dkyeager

For future planning:

I recommend another DNS provider as the third DNS server.  https://www.grc.com/dns/benchmark.htm may be useful in making your selection. 

I always recommend a second ISP if possible, which will be paid for by avoiding just a few days of downtime.  Many clients can limp along at a significantly slower speed for a few days, so the second ISP  can be much slower and will boost overall performance on other days or can just be a backup link if the routers performance is maxed out with no option to upgrade.

Zyxel_James

Hello @Philodendrin,

There is another thing need to check.

Path: System > DNS > Show Advanced Settings > Security Option Control

It should be set to Allow which is the default setting too. Please check if it's set to Deny.

Thank you.

James