DNS query via vti

sebastian Posts: 7  Freshman Member
edited April 14 in Security
Dear all,

I have a problem with DNS queries via UDP to the VPN destination. 
The Zyxel System is always forwarding DNS queries with the wan IP for the vti interface instead of the local IP. For tcp traffic it is working fine and no communication issue (TCP local Zywall IP). 
Any idea how I can change it (SNAT). It looks like a bug in the Zyxel firmware.

The solution would be to overwrite 

Has someone the same experience?

All Replies

  • lalaland
    lalaland Posts: 61  Ally Member


    I have similar case in the past, but the scenario is SIte to Site IP Sec vpn, the issue was solved by policy route, how about create a policy route, assign the next hop is VTI, then do the SNAT?

  • zyman2008
    zyman2008 Posts: 112  Ally Member
    The VTI IPSec is a route-based IPSec VPN.
    So most easy way is just add a static route to the destination through that VTI interface.
    For example,
    If the remote DNS server IP address is
    Then add a static route interface: the vti interface
  • sebastian
    sebastian Posts: 7  Freshman Member

    I have a IPSec SitetoSie VPN with exactly a policy route and a static route working (without VTI interface).

    If I try a policy route like for the IPSec vti tunnel it is not working.

    Option 1 (SNAT_not allowed):
    Zywall (Incoming), WAN IP (Source), destination netowork, Service (DNS_UDP:53), NextHop (vti1), SNAT not allowed wia WebGui, with CLI yes but no effect. 

    Option 2 (SNAT_allowed no affect):
    any, WAN IP (Source), destination netowork, Service (DNS_UDP:53), NextHop (vti1), SNAT not allowed wia WebGui, with CLI yes but no effect. 

    When I add the rule you mentioned I get the following error:
    CLI Number: 8
    Warning Number: 31001
    Warning Message: 'Invalid gateway. Default route will not be added.'

    If I do a wireshark I clearly see that the DNS request is coming from the local IP like and the Zywall is answering via wan1 interface and Public IP -> Completely wrong...

    If I do the same for ssh from to my lokal network it is correctly routed.

    Issue 1: 
    vti is not correctly implemented due to the fact that it is working via IPSec with Policy route

    Issue 2:
    DNS UDP via vti

    Blue box is my WAN IP

    I opened a ticket (USG60W - IPSec VPN to VTI - Ticket #30062-163488 ) already to Zyxel but the only answer I got is that they need the hole configuration from both end points to can simulate the issue. 
    I provided all configs that are required to setup the tunnel and the routing but still no support.

  • Mark_Zyxel
    Mark_Zyxel Posts: 112  Zyxel Employee
    Dear Sebastian,

    If you have time today i will give you a quick call.
    I hope that we can solve the issue for you..

    Kind regards,

    ZYXEL Support Campus


  • sebastian
    sebastian Posts: 7  Freshman Member
    edited September 2017
    Please check your PN.
  • zyman2008
    zyman2008 Posts: 112  Ally Member
    That's look like policy route for the traffic out from device has some issue.

    Here a work around you can try,
    On the policy route, select the next-hop: auto

    auto means, once traffic hit this policy route then go to check the main routing table only.
    Then it will hit the static routing entry in the mail routing table.

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,033  Zyxel Employee


    On this scenario,

    you need add DNS on local USG (USG A) and Nat rule on remote device (USG B)to redirect session to DNS server.

    Here is example:

    1.      Configure the Nat rule on the USG B



    Service: port 53

    2.      Set the DNS and static route on USG A



  • zyman2008
    zyman2008 Posts: 112  Ally Member
    It's really strange that need to set the DNAT on the peer.
    If there has static route entry on USG A to reach, then the packet can reach the peer, right ?

  • sebastian
    sebastian Posts: 7  Freshman Member

    I have setup a workaround via a raspberrypi and unbound tool. The problem is that the answer from the Zywall is always using my wan1 (Public IP) when I'm using UDP traffic.

    For TCP traffic it is working fine. 

    Workaround to use a DNS proxy and forward every UDP DNS traffic via TCP to the DNS destination. 

    Best regards,
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,033  Zyxel Employee
    Hello Sebastian,
    We want to reproduce your case locally, so please share your topology and  pm the configuration for our checking further.

Security Highlight