DNS Resolution

IT_Field_Support

Hi guys,

I have an issue with one of our USG40W. Name resolution is not working from laptop on the network but it is working from the router itself. It seems that the router doesn't forward dns request to the dns server in the zone-forwarder.

The first DNS of the laptop is the router itself so if the router doesn't resolve, it should forward the request to one of the 4 servers we have in the zone-forwarder.

Cannot find a way to debug this..

Thanks,

Davy

John Doe

Security policy should allow port 53 to zywall

warwickt

HI IT_Field_Support if the problem conditions & symptoms are something like these:

1. LAN client local host name resolution local locks up and times out or
2. LAN client public host name resolution locks up or times out
3. host in VTIx site-to-site suddenly stops resolving via Forward DNs
4. or the local USG router nslookup hostname - times out
5. and you might be at Firmware V4.32 to V4.35 and/or
6. on USG20WVPN and or USG40 or USG60
7. AND the above Zyxel appliances are very low CPU busy (< 5%) and
8. the above Zyxel appliances are unusable via the HTTPS UI and extremely slow via ssh CLI
   1. and telnet you-USG40W-ipv4-address 53 times out despite the fact you can ping -c 3 telnet you-USG40W-ipv4-address and it in a few ms ....
9. and the USG40W briefly responses like normal after 3 minute restart/boot then 1.-8. above occurs within 2 mins again THEN

its probable that you might consider resetting the USG appliance and restore the startup.conf. or clone ... This fixes it immediately!

We had this issue of since V4.32 firmware.

Steps to resolve possible symptoms 1-9 above :

1. copy and rename your startup.conf via UI or ssh
2. save it (goodUSG40W.conf) on a LAN host (Mac or PC etc)
3. shutdown and RESEt the USG40W
4. power it off and restart it (black button on rear)
5. use default admin/1234 https;?? to the usg40w
6. restore the above goodUSG40W.conf to the usg40w if its not there (it should be)
7. restart from that config goodUSG40W.conf

You local name service lookup will work as long as you can telnet 53 top the USG (LAN1_SUBNET_client (your mac/pc) to router:port53 ...)

If you can't then enable DEBUG mode in the YSG40W logs for each section and have a look ..maybe the Security Policy is stopping you .. easily resolved.

We've performed this soon our own and some of our clients USG appliances and the routers comes good again... especially ones the have been in use for several years.

I'd be most curious if you have these issues above.

HTH

warwick

Hong Kong

Zyxel_Jerry

Hi @warwickt

Thanks for your suggestion.

Before taking any actions. We would like to figure out what is the root cause of the symptoms since sometimes issue happens due to the environment issue per our experience.

Hi @IT_Field_Support

Yes, if the router doesn't resolve, it will forward the request to list in the zone-forwarder.

Can you collect the packet on the device?

Go to Maintenance > Diagnostics > Packet Capture > Capture > select the port to detect DNS 

After testing, go to Maintenance > Diagnostics > Packet Capture > Files > select the file and click Download

warwickt

Hi Zyxel_Jerry ICYM, refer to the following reply for the symptoms that we see when this occurs for DNS request failures...

at

https://businessforum.zyxel.com/discussion/3891/usg60-very-slow-web-interface#latest

https://businessforum.zyxel.com/discussion/3891/usg60-very-slow-web-interface

regards

Warwick

Hong Kong