Built in DNS resolver not working?

PeterUK
PeterUK Posts: 3,326  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited April 2021 in Security

Tested on USG40 V4.33(AALA.0)ITS-WK08-2019-03-14-190200778

So I blocked upstream my ISP DNS IP in order to test how the USG handles itself when it has to do the DNS lookup from root and it fails to do the lookup for anything like grc.com. It also fails to go out the the first listing of my trunk VLAN443 until I set metric to 1.

I think the USG/Zywall use bind and that might need updating?

Also a option to use the Built in DNS resolver without using ISP would be good

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK

    In this scenario, the USG will perform iterative name query to dns root server(the USG have built-in root server list).

    However, the result is depends on name server response. Also, it may take more time to get response from other name server.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    But its not working on my USG60 with V4.25 doing a DNS lookup for GRC.com I make it fail focusing the USG60 to do the lookup and it will after some tries get the lookup done. But USG40 with V4.33(AALA.0)ITS-WK08-2019-03-14-190200778 does not get the lookup done correctly even after many tries.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So I rolled back to V4.30 AALA.0 and get the same problem so its likely between V4.25 AALA.1 and V4.30 that the Built in DNS resolver stopped doing recursion lookups correctly.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK

    I did the same test again at V4.25.1 and V4.30.C0 to verify build in DNS server resolver.

    The packet trace from wan have response from another DNS server.

    Can you test it again and capture packet on wan interface, then send me the full packets trace for further checking?

     

    Lab test result at V4.30.C0


  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 2019

    Its not going to be from WAN it be from OPT with me blocking ISP DNS upstream and my other DNS by 192.168.53.2 and making DNS from root by VLAN443.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    After doing many nslookup grc.com 192.168.255.243 it does get round to resolving but takes for ever when you got your ISP and other forward that are blocked for testing to make the built in resolver work from root.

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Or it might have been a one off as its not working after like 20 nslookup grc.com 192.168.255.243

    The other difference between USG60 and USG40 is USG60 has no default forwarders but 192.168.53.2 which I block at my bind setup in windows for testing and the lookup by VLAN443 eventually works. Where as USG40 has ISP DNS in default and 192.168.53.2 again I block ISP DNS by a switch and 192.168.53.2 in windows to make the USG do lookup by root itself it seem to try and do this by OPT and not by VLAN443.

Security Highlight