FQDN stopped update IP lookup

PeterUK

USG FLEX 700H V1.36(ABZI.0)

For some reason FQDN are not being lookup any more when I test on FLEX 200H thats fine to the same DNS.

Like I put in pingbox1.thinkbroadband.com for a rule but the FLEX700H will not DNS for it.

Not rebooted yet

Zyxel_Barry

Hi @PeterUK,

Based on your description, the USG FLEX 700H is experiencing issues with FQDN IP lookup, while your FLEX 200H on the same DNS is functioning correctly.

Here are some initial troubleshooting steps and information requests:

Preliminary Solutions:

1. Check FQDN Cache Refresh: The USG FLEX H Series devices check and update the FQDN cache every two minutes or when the cache's TTL (Time-To-Live) expires. Although the H-Series allows FQDN caching to be configured to never expire, ensure the FQDN object for pingbox1.thinkbroadband.com is configured correctly and that the device can actively query the address.
2. DNS Resolution Check: Use the CLI command cmd diagnostics nslookup domain-name-or-ip domain-name pingbox1.thinkbroadband.com on your USG FLEX 700H to verify if the device can resolve the domain name. This will help determine if the issue is with general DNS resolution or specific to FQDN object updates.
3. DNS over HTTPS/TLS: If you are using DNS over HTTPS (DoH) or DNS over TLS (DoT), the firewall may not be able to properly inspect and update the FQDN. Try disabling DoH on your browser or changing the action of "DNS over HTTPS/TLS detection" to "Pass" on the USG FLEX 700H.
4. Reboot: Although you mentioned you haven't rebooted yet, a reboot can often resolve transient issues. Please consider rebooting the USG FLEX 700H.

Information Gathering:

To further assist you, please provide the following:
1. Screenshots of the FQDN Address Object configuration for pingbox1.thinkbroadband.com on your USG FLEX 700H.
2. Network Topology Diagram: A simple diagram showing how your USG FLEX 700H is connected to the internet and your internal network, including DNS server configurations.
3. Diagnostic File: Collect the diagnostic file from your USG FLEX 700H. You can do this via the GUI by navigating to Maintenance > Diagnostics > Diagnostics and clicking "Collect Now". If the device is unresponsive, please refer to the troubleshooting steps for collecting diag-info via console.

Zyxel_Melen

Hi @PeterUK

May I know if this issue occurs on the client only? What's the result if you use the network tool to nslookup?

PeterUK

Hi Barry and Melen

Yes its been over two minutes and setup on FLEX 200H in the same way is fine so something not right with the FLEX700H at this time.

0> cmd diagnostics nslookup domain-name-or-ip domain-name pingbox1.thinkbroadband.com
nslookup-diagnostics
ok
result "Trying "pingbox1.thinkbroadband.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3836
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pingbox1.thinkbroadband.com.\x09IN\x09ANY

;; ANSWER SECTION:
pingbox1.thinkbroadband.com. 114 IN\x09A\x0980.249.99.164

Received 61 bytes from 127.0.0.1#53 in 0 ms
"
..
..
0>
0> cmd diagnostics nslookup Query-Server 192.168.53.2 domain-name-or-ip domain-name pingbox1.thinkbroadband.com
nslookup-diagnostics
ok
result "Trying "pingbox1.thinkbroadband.com"
Using domain server:
Name: 192.168.53.2
Address: 192.168.53.2#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 910
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pingbox1.thinkbroadband.com.\x09IN\x09ANY

;; ANSWER SECTION:
pingbox1.thinkbroadband.com. 300 IN\x09A\x0980.249.99.164

Received 61 bytes from 192.168.53.2#53 in 34 ms
"
..
..
0>

note I have a local DNS server running bind

DNS over HTTPS/TLS not a problem don't use it.

Reboot will do at some point

Flex 700H P6 VLAN 53 with IP 192.168.53.1/27, 192.168.53.6/27, 192.168.53.26/27, 192.168.53.14/27 to DNS server 192.168.53.2 and 192.168.53.4 as backup by USG60

Will PM you the Diagnostic File

PeterUK

Hi Melen

The issue is not the client but the FLEX H not doing lookups for a FQDN for the cache.

However the Wildcard FQDN cache are happing when DNS goes through the FLEX 700H but non Wildcard FQDN are not being looked up by the FLEX 700H itself

PeterUK

update in testing on the FQDN Address Object configuration for pingbox1.thinkbroadband.com I click the test button I get this

Trying "pingbox1.thinkbroadband.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53274
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pingbox1.thinkbroadband.com. IN ANY

;; ANSWER SECTION:
pingbox1.thinkbroadband.com. 260 IN A 80.249.99.164

Received 61 bytes from 127.0.0.1#53 in 8 ms

Then I go out of that FQDN lookup pingbox1.thinkbroadband.com to view it again and still shows No data for IPv4 Cache List.

Have not rebooted yet

PeterUK

After a reboot the FQDN are now updating within 3 minutes

PeterUK

Its done it again FQDN not updating even if I delete the FQDN and add it back as a policy rule its not doing the lookup its self.

PeterUK

Update so I did some looking in SSH settings

If I do

object address-object fqdn enabled false

commit

then

object address-object fqdn enabled true

commit

It starts working again

Zyxel_Melen

Hi @PeterUK

Thanks for updating the details. So the issue is occurring on the Address Object IPv4 Cache List.

We are investigating on this and I will update you once I get further information.

PeterUK

So by chance I found what trigged this to happen

So on reboot interfaces get there IP DHCP and DNS Global Zone Forwarder auto gets add then fqdn updates on lookups for the given IPv4 Cache List and what triggers the stop in this case is unplugging the SFP for 30 seconds which causes DNS Global Zone Forwarder auto IP to be removed then when you plug the SFP back in no more fqdn updates even when I don't use them auto added DNS as I use my added 192.168.53.2 and 192.168.53.4 for the FLEX H to use.