Zyxel USG Flex 200 DNS Routing Issue
Philodendrin
Posts: 4
in Security
We support a small office that's using a USG Flex 200 in front of a Comcast Business modem (Comast is ISP). The customer has no on-site server, so the USG Flex 200 serves DNS and DHCP.
We've had relatively few issues, but today we ran into something weird. The customer reported that their broadband was down and sent most staff home since no one could work. When we went to check their connectivity, we saw that the firewall was reachable remotely, so we jumped on and noted that broadband connectivity to the firewall was fine. Yet, user's claimed that they still couldn't connect to the Web, so we started looking at DNS settings.
The Flex 200's DHCP settings listed the Zyxel as the first DNS server, and then Comcast's DNS servers as the second and third. Under System - DNS - Domain Zone Forwarder, we have the same two Comcast DNS servers listed as Public DNS servers, queried via WAN1. WAN1 is connected to the Comcast modem. All pretty straightforward and normal, from my perspective.
When we ran an Ipconfig /all command from a workstation on the LAN, everything DNS related matched what we had setup in DHCP. But, the workstation couldn't resolve any sites.
If we removed the Zyxel as the first DNS server from the DHCP server configuration on the Zyxel, renewed the workstation's IP, and re-tested, the workstation was able to browse the Web just fine. But, we're not sure why that would be any different than having the workstation look at the Flex 200 for its DNS info, rather than the Comcast servers. It should all resolve the same.
We've had relatively few issues, but today we ran into something weird. The customer reported that their broadband was down and sent most staff home since no one could work. When we went to check their connectivity, we saw that the firewall was reachable remotely, so we jumped on and noted that broadband connectivity to the firewall was fine. Yet, user's claimed that they still couldn't connect to the Web, so we started looking at DNS settings.
The Flex 200's DHCP settings listed the Zyxel as the first DNS server, and then Comcast's DNS servers as the second and third. Under System - DNS - Domain Zone Forwarder, we have the same two Comcast DNS servers listed as Public DNS servers, queried via WAN1. WAN1 is connected to the Comcast modem. All pretty straightforward and normal, from my perspective.
When we ran an Ipconfig /all command from a workstation on the LAN, everything DNS related matched what we had setup in DHCP. But, the workstation couldn't resolve any sites.
If we removed the Zyxel as the first DNS server from the DHCP server configuration on the Zyxel, renewed the workstation's IP, and re-tested, the workstation was able to browse the Web just fine. But, we're not sure why that would be any different than having the workstation look at the Flex 200 for its DNS info, rather than the Comcast servers. It should all resolve the same.
0
All Replies
-
Their is something not 100% with doing DNS to Zyxel but I can't seem to get them to look into it.
Can you do a packet capture on the WAN for ICMP and see if your sending out Destination unreachable (Port unreachable).
0 -
Hello @Philodendrin,Welcome to Zyxel community!To check the cause, we need packets captured on WAN/LAN interface of USG FLEX 200, and the screenshots of your settings(DHCP DNS, domain zone forwarder) too.You can contact me through private message, thank you.James0
-
For future planning:I recommend another DNS provider as the third DNS server. https://www.grc.com/dns/benchmark.htm may be useful in making your selection.I always recommend a second ISP if possible, which will be paid for by avoiding just a few days of downtime. Many clients can limp along at a significantly slower speed for a few days, so the second ISP can be much slower and will boost overall performance on other days or can just be a backup link if the routers performance is maxed out with no option to upgrade.
0 -
Hello @Philodendrin,There is another thing need to check.Path: System > DNS > Show Advanced Settings > Security Option ControlIt should be set to Allow which is the default setting too. Please check if it's set to Deny.Thank you.James0
Categories
- All Categories
- 414 Beta Program
- 2.3K Nebula
- 136 Nebula Ideas
- 92 Nebula Status and Incidents
- 5.5K Security
- 191 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 40 Wireless Ideas
- 6.2K Consumer Product
- 238 Service & License
- 376 News and Release
- 80 Security Advisories
- 24 Education Center
- 5 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 81 About Community
- 70 Security Highlight