d.nebula.zyxel.com DNS resolve shows different results then it tries to connect

Develey

Hello Community,
My AP tries every minute to reach one of the two AWS Servers that are not listed in d.nebula.zyxel.com and is blocked.

i followed the connectivity settings on your KB: Knowledge Base | Zyxel.
TCP Port 6667 and 4335 fpr d.nebula.zyxel.com are allowed on the Firewall. 

Do i need to allow 443? Its noted that KB, that this port is used by users not by the AP himself to connect to the NCC.

Now i have the following problem:
For the name d.nebula.zyxel.com i get the Resolve:

52.16.90.243

52.210.229.217

52.48.115.44

54.76.217.223

54.73.103.137

34.243.116.158

52.210.12.1

34.246.20.161

But if i check the firewall it says it tries to connect to:
54.174.230.238 
52.207.42.20
(with 443 SSL) and denys it. 

Im from Europe/Austria, is it possible that something is wrong here with the AWS DNS entrys?

Did i miss something on my side? Can you please help me?

Zyxel_Judy

Hi there,

 

Except d.nebula.zyxel.com, there are other service such as s.nebula.zyxel.com or firmware.nebula.zyxel.com, etc. You can try to resolve these domains to check whether they are the two AWS Servers that are not listed in.

Besides, some service uses dynamic IP addresses, so the resolve you get might be not the same at every time.

We recommend you do the security policy based on the domains not the IP address to avoid some service will be blocked/ denied.

Develey

Hello thank you for your reply,
i changed the rules on the Firewall like you suggested but the Problem is still the same.

on the firewall these are now allowed:
d.nebula.zyxel.com
s.nebula.zyxel.com
d-a.nebula.zyxel.com
d-cp.nebula.zyxel.com
d-mp.nebula.zyxel.com

the Problem is still the same: the Access Points try to connect with Port 443 to the IPs

54.174.230.238 
52.207.42.20
and are denied because these two IPs are not resolved in these Names.

Should i add these two IP-Adresses to the rule or is there a problems with the DNS resolve?