No default DNS for WAN1 on USG40

StefanLogar
StefanLogar Posts: 9  Freshman Member
First Comment Friend Collector
edited April 2021 in Security
Hi, Experts!
I have problems concerning the default DNS for internal use of our USG40. In LAN everything works correct, DHCP-Clients get the correct DNS Servers, ...
But when I try to download firmware-files for APs or when calling a NSLOOKUP from the Diagnostic-Networkprogrammes, I get errors "Device can't connect to cloud servers" or ";; connection timed out; no servers could be reached"

WAN: fixed IP
DNS: 2 forwarders entered
in DNS under default I see N/A, on the EasyMode overview Screen I see DNS: N/A

Any help appreciated!

Accepted Solution

«1

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    @StefanLogar
    Welcome to Zyxel Community  B)
    If the USG Wan type is static IP it does not have DNS server by default, you need to set up DNS server for USG.
    Go to “Configuration > System > DNS > Domain Zone forward”, click “Add” button to add DNS server for name query.

  • StefanLogar
    StefanLogar Posts: 9  Freshman Member
    First Comment Friend Collector
    @Zyxel_Cooldia, thank you for your reply, but, as mentioned in post 1, I have two entries for "Domain Zone Forwarder" - the DNS-Servers of my ISP. However, from the USG40 they seem not to be acknowledged.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited April 2019
    If network tool shows “connection timed out; no servers could be reached” it means device not received reply from server side.
    Can you take a screen shot of your DNS zone forwarder setting?

  • StefanLogar
    StefanLogar Posts: 9  Freshman Member
    First Comment Friend Collector
    Hi, @Zyxel_Stanley, thank you for your help!

    My DNS settings (sorry, it's in German):
    My situation is as follows:
    - USG40 is behind the main router from our ISP
    - we use L2TP/IPSec for VPN-Connections
    - the internal network is working as expected, except of DNS, which I additionally to System>DNS had to enter manually into the LAN1-DHCP configuration
    - Internet is without limitation reachable from any LAN1-client
    - from USG40 (terminal) I can ping any host in LAN1
    - from USG40 I can ping the fixed external IP of the ISP-Router (xxx.xxx.xxx.xxx) but NOT(!) the internal IP of it (192.168.2.254)
    - USG40 is connected to ISP-router at WAN1, IP 192.168.2.100/24

    Best regards and thank you for any hint!
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @StefanLogar  

    We have not saw this issue before due to your client can receive DNS result from server successfully.

    I will send you private message to check this issue much details.

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    - USG40 is connected to ISP-router at WAN1, IP 192.168.2.100/24
    The default lan2 ip address of USG40 is 192.168.2.1/24
    Do you change the default ip address of lan2 to any other ip network to avoid the conflict with WAN1 ?
     
  • StefanLogar
    StefanLogar Posts: 9  Freshman Member
    First Comment Friend Collector
    Thank you, @lan31!
    Good idea, but here is my IP overview. It´s not the problem.

  • StefanLogar
    StefanLogar Posts: 9  Freshman Member
    First Comment Friend Collector
    Hi to all!
    I have found the following symptom now:

    • All DNS queries from inside LAN1 are successful, as they have the source 192.168.2.100 (WAN1 IP).
    • DNS-queries from USG itself have timeouts, because they have the source xxx.xxx.xxx.xxx (ISP-Routers public IP)
    Maybe any new idea?
    Thanks i.a.
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    hi @StefanLogar
    is your external ISP Router (IP looks like AVM default IP) :) ?
    be carefull, ifh your USG40W and the ISP Router acting as SNAT Router device.
    With double SNAT you can have some side effects included :)

    I've a USG between LAN and DMZ Zone and behind a Layer7 Firewall, that is connected with the ISP Modem. ;)


    i have disabled SNAT (Source-NAT) but .... your ISP router require the information, about the subnets on your USG to send reply packages to the WAN1 interface on the USG.

    DNS -> normaly your ISP Router is acting as DNS forwarder, too.

    I've the ZYWALL DNS-Zone-forwarder pointed to my external ISP-Firewall IP trough WAN1.
    This is working well, and my ISP Firewall forward all packages to the known DNS Server from my ISP.

    Regards and Good luck to Austria ;)
    Christian
  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    @StefanLogar ,
    Does the public IP(88.xxx.xxx.xxx) bind with a PPPoE interface on USG40 ? 
    Or it's an 1-1 NAT set on ISP-router to map to wan1 of USG40 ?

Security Highlight