USG FLEX 200 does not answer parallel DNS requests correctly

lsk

Hi,

we have a new USG FLEX 200 running firmware V5.37(ABUI.0).

Connected to the lan1 network (static IP 192.168.200.1) are a few Linux boxes. We set up static IP/MAC bindings for those and DNS names (IPv4 only) that do not end in .local.

We currently observe significant delays when trying to resolve any DNS name from the Linux boxes. A closer look revealed:

• Linux sends parallel DNS requests for the A and AAAA records of names to resolve. This cannot be disabled.
• The USG FLEX 200 answers only one of them causing Linux to retry after 5 seconds
• On the second try, usually both answers are sent.
• Resolving the names manually e.g. via "dig -t A www.zyxel.com" and "dig -t AAAA www.zyxel.com" I could NOT reproduce the problem, seems to only occur when requests come in very close after another.
• Affects all DNS names, e.g. myrouter.local, names entered in Configuration > System > DNS as well as www.zyxel.com.
• Issue persists across reboots.

Output from tcpdump:

10:08:25.464550 192.168.200.20.54288 > 192.168.200.1.53: 63292+ A? myrouter.local. (32)
10:08:25.464567 192.168.200.20.54288 > 192.168.200.1.53: 63525+ AAAA? myrouter.local. (32)
10:08:25.465477 192.168.200.1.53 > 192.168.200.20.54288: 63525* 0/1/0 (73)
(no answer for A record, linux retries after 5 sec)
10:08:30.468874 192.168.200.20.54288 > 192.168.200.1.53: 63292+ A? myrouter.local. (32)
10:08:30.469902 192.168.200.1.53 > 192.168.200.20.54288: 63292* 1/1/0 myrouter.local. A 192.168.200.1 (65)
10:08:30.470061 192.168.200.20.54288 > 192.168.200.1.53: 63525+ AAAA? myrouter.local. (32)
10:08:30.470914 192.168.200.1.53 > 192.168.200.20.54288: 63525* 0/1/0 (73)

Is this some kind of UDP flooding protection?

Regards

Zyxel_James

Hello @lsk
for further clarification,
is it possible to provide your DNS configuration? such as domain zone forwarder and address record.
and please capture the packets during DNS queries, thanks.

lsk

Hi @Zyxel_James ,

the packet capture log in my question was taken on the Linux box but the capture on the USG FLEX 200 looks identical. I actually tested with myrouter.local to exclude configuration issues with our DNS entries.

For me it looks like if the second DNS query arrives before the first reply is sent, only a reply for one of them is sent back and the other one gets discarded by the USG - so you have to be fast.

While (for me) the A query is always followed by the AAAA query, the single response is sometimes the A record and sometimes the AAAA record, so not consistently for the first or second query.

There is a zone forwarder rule to an upstream DNS server via wan1. That however is created based on DHCP information and not part of the USG configuration (and should not matter for myrouter.local, right?).

Relevant snippets from startup-config.conf:

ip dhcp pool LAN1_POOL
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
first-dns-server ZyWALL
starting-address 192.168.200.10 pool-size 200
lease 2 0 0

ip dhcp pool Static_LAN1_4C5262B90BEF
host 192.168.200.20
hardware-address 4C:52:62:B9:0B:EF
description BOX1

interface lan1
ip address 192.168.200.1 255.255.255.0
ip dhcp-pool LAN1_POOL
type internal
description Intranet
upstream 1048576
downstream 1048576
mtu 1500
ip dhcp-pool Static_LAN1_4C5262B90BEF

ip ip-mac-binding lan1 activate

ip dns server a-record box1.local.example.org 192.168.200.20