Understanding SSL Certificate Errors with DNS Content Filter and HSTS on Zyxel USG FLEX

Zyxel_Kevin

Question:

How can HTTPS error pages be prevented when the Zyxel DNS Content Filter blocks or warns about HSTS-enabled websites?

Answer:

When a Zyxel USG FLEX 700 with an enabled DNS Content Filter attempts to block or warn about a website that uses HSTS (HTTP Strict Transport Security), users may experience an HTTPS certificate error page instead of the expected Zyxel warning page. This behavior is a direct consequence of how HSTS operates and is not a bypassable firewall issue.

• Root Cause:
  • DNS Content Filter Redirection: The error appears because the website is being blocked by the DNS Content Filter. Consequently, the firewall attempts to redirect the traffic to our landing page (domain: https://dnsft.cloud.zyxel.com).
  • HSTS Conflict: The certificate error occurs because the blocked websites you are visiting (e.g., youtube.com, vimeo.com) implement HSTS. Browsers expect the original website's certificate for HSTS-enabled sites. When the firewall redirects to its own landing page with a dnsft.cloud.zyxel.com certificate, the browser detects a certificate mismatch for the original HSTS-protected domain and issues a critical security warning.
  • Technical Limitation: This is a result of HSTS technical limitations, as explained in related articles, and is not an issue unique to Zyxel products. The browser's security policy for HSTS takes precedence, preventing the display of the Zyxel warning page.