Domain Zone Forwarders not working

2»

All Replies

  • nick_patchett
    nick_patchett Posts: 12  Freshman Member
    First Comment Fifth Anniversary Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited July 19

    This is the result I get from the nslookup diagnostic within the firewall so you can see it isn't forwarding the request to the zone forwarder but rather the global forwarder

    image.png

    If I open up advanced settings and specify the remote DNS server it just times out, like the firewall is ignoring its own static routes. However, if I put the 155.231.231.1 DNS server into a windows laptop behind the firewall I can resolve and reach destinations fine, so the static route is working.

    image.png

  • nick_patchett
    nick_patchett Posts: 12  Freshman Member
    First Comment Fifth Anniversary Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Did more testing, setup a Windows DNS server, put the forwarders in and pointed a machine on the LAN at it and DNS resolved perfectly so it is 100% the firewall zone forwarders that are not working.

  • PeterUK
    PeterUK Posts: 3,152  Guru Member
    Community MVP 2500 Comments Sixth Anniversary 100 Answers
    edited July 19

    In my testing the way I got it to work is your end for local IP/subnet in VTI setting needs to match your LAN is my case is 192.168.255.42/255.255.255.240 and 192.168.255.42 must not be in use.

    On the remote site in your case NHS their local VTI must match your local IP/subnet in my case 192.168.255.43/255.255.255.240 and 192.168.255.43 must not be in use.

    Then when your client at say 192.168.255.40 uses DNS 192.168.255.39 to Zywall it will use the Domain Zone Forwarders for NHS goes via VTI to IP NHS or in may case 192.168.55.2

  • nick_patchett
    nick_patchett Posts: 12  Freshman Member
    First Comment Fifth Anniversary Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Thanks for this Peter, we seem to be getting somewhere.

    So my local firewall is on 192.168.170.254/255.255.255.0, I've changed the VTI address in the IPSEC VPN settings to be 192.168.170.253/255.255.255.255.

    This has got the firewall to start resolving the address when testing using NSLOOKUP.

    And my device on 192.168.170.1 using the firewall on 254 as its DNS resolver can resolve addresses on the nhs.uk domain.

    But performance is really poor. I am getting dropped packets to the VTI interface.

    image.png

    The remote end of the VPN is setup by a third-party supplier so I have no visibility of their VTI settings, and to be honest, they have never mentioned them so I am not even sure if they are in use.

  • nick_patchett
    nick_patchett Posts: 12  Freshman Member
    First Comment Fifth Anniversary Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Right well this is very weird, I changed the VTI again to a different IP, that broke it all, I put it back to 192.168.170.253/255.255.255.25 and now everything is working perfectly!

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)