DNS cookie...and this system...

PeterUK

This really is something else you got going on with all the root and TLD servers.

So to bring everyone upto speed Zyxel have a system where your WAN interface links up to Nebula and does this in such a way that if you have two WAN and you try to force Zywall to use a given WAN you get blocked because Nebula was expecting to see you by your other WAN within a given windows. So if you have two WAN and you fail one will it use your other WAN correctly? Yes but only due to Connectivity Check for Nebula to know.

And so now you understand that some how they have done it to DNS such that if you use FLEX with no add DNS forwarders the FLEX will get the answers Recursive lookup by root and TLD to get the answer and so what I think Zyxel have done but likely others were involved is to have cookies in DNS under Additional records if they should be allowed or not by given IP.

And here is the confusing part I run my own bind no forwarders I also know USG60 runs bind yet it all works fine and by fine I mean take the FLEX 200H with no DNS forwarders I have a trunk VLAN443 active and VLAN53 passive so it DNS by VLAN443 then I add the routeing rule for incoming Zywall for DNS next hop VLAN53 which goes to my 5G backup ISP and lookups are blocked and what I mean is the Zywall is sending DNS traffic to the given root and TLD servers but I get no reply and I can only think its to do with the DNS cookie and then if a fail VLAN443 the Zywall must uses VLAN53 and DNS works.

But here is where things get really interesting the USG60 does not know about this system neither does me bind yet when the FLEX 200H is set to VLAN443 only as a trunk you would think running DNS by USG60 on VLAN53 to my other ISP would fail? But it don't because the cookie is unknown so its allowed same with my bind.

So I'm worried that maybe this is the first step to stop anyone access to the root and TLD servers? It just seems a silly logic I mean I get why this might be done but what I mean is in a trunk setting with VLAN443 active and VLAN53 passive you can not have DNS by the Zywall use VLAN53 unless active has failed.

Zyxel_Melen

Hi Peter

Please allow me to clarify the details and then update to you.

Zyxel_Melen

Hi @PeterUK

I did a lab that the USG FLEX H was asking to the root and TLD servers, but there's no response. Below is the packet captured from the device between the passive interface and its uplink.

It seems like this issue is in uplink, although it starts to receive response after active interface down.

PeterUK

Yes thats my point when active interface is down then root and TLD servers work on passive its a odd thing it seem to be the same system nebula uses.

I can only think its a root and TLD servers DDoS protection system?

Which is why I say it must be a cookie in the DNS lookups if it should be allowed or not so on FLEX H the access to root and TLD servers when interface are active its allowed but if you try to use a passive interface you are blocked unless your active interface are down to which FLEX uses a given cookie that the system allows. Yet my bind and USG60 run lookups fine over the link that is passive because it has too or DNS would fail out right.