DNS query via vti

sebastian
sebastian Posts: 7  Freshman Member
First Comment
edited April 2021 in Security
Dear all,

I have a problem with DNS queries via UDP to the VPN destination. 
The Zyxel System is always forwarding DNS queries with the wan IP for the vti interface instead of the local IP. For tcp traffic it is working fine and no communication issue (TCP local Zywall IP). 
Any idea how I can change it (SNAT). It looks like a bug in the Zyxel firmware.

The solution would be to overwrite 

Has someone the same experience?
«1

All Replies

  • lalaland
    lalaland Posts: 90  Ally Member
    First Answer First Comment Friend Collector Sixth Anniversary

    Hi,

    I have similar case in the past, but the scenario is SIte to Site IP Sec vpn, the issue was solved by policy route, how about create a policy route, assign the next hop is VTI, then do the SNAT?

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    The VTI IPSec is a route-based IPSec VPN.
    So most easy way is just add a static route to the destination through that VTI interface.
    For example,
    If the remote DNS server IP address is 192.168.10.10
    Then add a static route  192.168.10.10/255.255.255.255 interface: the vti interface
     
  • sebastian
    sebastian Posts: 7  Freshman Member
    First Comment
    Hi,

    I have a IPSec SitetoSie VPN with exactly a policy route and a static route working (without VTI interface).

    If I try a policy route like for the IPSec vti tunnel it is not working.

    Option 1 (SNAT_not allowed):
    Zywall (Incoming), WAN IP (Source), destination netowork, Service (DNS_UDP:53), NextHop (vti1), SNAT not allowed wia WebGui, with CLI yes but no effect. 

    Option 2 (SNAT_allowed no affect):
    any, WAN IP (Source), destination netowork, Service (DNS_UDP:53), NextHop (vti1), SNAT not allowed wia WebGui, with CLI yes but no effect. 

    When I add the rule you mentioned I get the following error:
    CLI Number: 8
    Warning Number: 31001
    Warning Message: 'Invalid gateway. Default route will not be added.'

    If I do a wireshark I clearly see that the DNS request is coming from the local IP like 192.168.1.1 and the Zywall is answering via wan1 interface and Public IP -> 192.168.1.1. Completely wrong...

    If I do the same for ssh from 192.168.1.1 to my lokal network it is correctly routed.


    Issue 1: 
    vti is not correctly implemented due to the fact that it is working via IPSec with Policy route

    Issue 2:
    DNS UDP via vti


    Blue box is my WAN IP


    Remark:
    I opened a ticket (USG60W - IPSec VPN to VTI - Ticket #30062-163488 ) already to Zyxel but the only answer I got is that they need the hole configuration from both end points to can simulate the issue. 
    I provided all configs that are required to setup the tunnel and the routing but still no support.



  • [Deleted User]
    [Deleted User] Posts: 118  Ally Member
    5 Answers First Comment Friend Collector Fifth Anniversary
    Dear Sebastian,

    If you have time today i will give you a quick call.
    I hope that we can solve the issue for you..

    Kind regards,

    Mark
    ZYXEL Support Campus
  • sebastian
    sebastian Posts: 7  Freshman Member
    First Comment
    edited September 2017
    Please check your PN.
  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    That's look like policy route for the traffic out from device has some issue.

    Here a work around you can try,
    On the policy route, select the next-hop: auto

    auto means, once traffic hit this policy route then go to check the main routing table only.
    Then it will hit the static routing entry in the mail routing table.

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary

    Hello,

    On this scenario,

    you need add DNS on local USG (USG A) and Nat rule on remote device (USG B)to redirect session to DNS server.

    Here is example:


    1.      Configure the Nat rule on the USG B

    Original: 10.0.1.10

    Mapping: 192.168.10.33

    Service: port 53


    2.      Set the DNS and static route on USG A


    Thanks

    Charlie

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    It's really strange that need to set the DNAT on the peer.
    If there has static route entry on USG A to reach 192.168.10.33, then the packet can reach the peer, right ?

  • sebastian
    sebastian Posts: 7  Freshman Member
    First Comment
    Dear,

    I have setup a workaround via a raspberrypi and unbound tool. The problem is that the answer from the Zywall is always using my wan1 (Public IP) when I'm using UDP traffic.

    For TCP traffic it is working fine. 

    Workaround to use a DNS proxy and forward every UDP DNS traffic via TCP to the DNS destination. 

    Best regards,
    Sebastian
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello Sebastian,
    We want to reproduce your case locally, so please share your topology and  pm the configuration for our checking further.
    Charlie

Security Highlight