DNS Filter - does it cascade to the next firewall rule?

itxnc
itxnc Posts: 98  Ally Member
First Comment Friend Collector Sixth Anniversary

We have a client that has a default filter policy in their FLEX 200 for their employees, but wanted a less strict filter for a handful of management employees. So we have a LAN → WAN rule (Position 1 - LAN1_Mgmt_To_WAN) with the Source set to a group of their specific computer IPs (static reservation) and the less strict filter, then the LAN → WAN rule (Position 2 - LAN1_UTM_To_WAN) for everyone else. But we're finding that they are still getting caught in the main DNS filter. Logs confirm they are blocked by the second rule (LAN1_UTM).

And I thought I answered my own question while I wrote this out - they're being blocked by the LAN to Zywall DNS filter NOT the LAN → WAN filter. But the weird thing is - the logs were clear the block was from the company wide LAN to WAN filter (Rule #2 LAN1_UTM_To_WAN). We added a LAN1_Mgmt_to_Zywall rule with their less restrictive DNS filter (ahead of the main LAN1→ZyWall rule with DNS filter). But didn't matter. They are still blocked by Rule #2.

I get with the firewall, if traffic isn't allowed by Rule X, it tries rule X+1 and so on. But with the filters, we thought if a site was blocked, then it didn't cascade down the firewall rules anymore - it just blocked. But in this case, it seems to be cascading. We confirmed that Rule #1 IS passing allowed traffic from the correct IPs - so the Source group is working. What are we missing?

All Replies

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Did a test here with grc.com and DNS Content Filter seems fine here

    PC 192.168.255.193 < any DNS allowed to Zywall

    secure-policy 1

    name IP192168255193

    from LAN1

    to ZyWALL

    sourceip IP192168255193

    action allow

    PC 192.168.255.194 < DNS block Business to Zywall

    secure-policy 2

    name Business_block

    from LAN1

    to ZyWALL

    dns-cf-profile Business log by-profile activate

    action allow

  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary

    So, you made a full bypass. Try this. Make rule one block, say, porn and residential IPs. Make rule two block porn, residential IPs, and online shopping. Now go to an online shopping site with a machine that should use the first rule/filter.

    Here's another weird thing. One site we're messing with is www.jlindeberg.com In the logs it flagged as Fashion/Beauty. But when we query it in the DNS Content Filter screen, it flags as Online Shopping.

    Doesn't matter because NEITHER of those categories are blocked in the Mgmt bypass filter. They ARE blocked in the main site filter. Now I know sites can flag in multiple categories and the Domain test will usually only return one (really wish it returned all). But just odd they don't match up:

    And again - LAN1_UTM is BELOW the special bypass rule LAN1_Mgmt_to_WAN. So how is it even getting hit? Source IP in the log matches up to the group in the Mgmt bypass rule. If I turn logging on in the bypass rule, I get tons of logs from the PCs in question - so it's being used.

    Now the REALLY weird part? I go to amazon.com, rakuten.com, walmart.com - all load fine. So Online Shopping certainly isn't being blocked on these machines.

    I even downloaded the config file and opened it up to make sure the filter didn't somehow have a phantom entry not showing up in the GUI. Nope - the rules all look fine.

    We're stumped…

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2023

    Ok I now test with grc.com Business Content Filter and kloth.net Technical_Business_Forums  Content Filter

    secure-policy 1
    name IP192168255193
    from LAN1
    to ZyWALL
    sourceip IP192168255193
    action allow
    dns-cf-profile Technical_Business_Forums log by-profile activate
    !
    secure-policy 2
    name Business_block
    from LAN1
    to ZyWALL
    dns-cf-profile Business log by-profile activate
    action allow

    192.168.255.193 can get to grc.com but not kloth.net and 192.168.255.194 can get to kloth.net but not grc.com

    did you make a new profile for the Content Filter for each rule?

    You want to make sure clients are not bypassing DNS to zywall like LAN to WAN for DNS as the Content Filter can not passively block DNS when some other DNS like 1.1.1.1 is used by the clients it must be to Zywall gateway or the clients must not use DNS over HTTPS

  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary
    edited September 2023

    Yes - there are two separate Content Filter profiles - one for each rule. There is no DNS bypass - this is a Microsoft AD environment. They all use the domain servers for DNS (forwarded to the FLEX) We try to include the canaries/GPO for disabling DNS over HTTPS, but if they were using DNS over HTTPS, you would expect them to not be blocked when they should. In our case, they're being blocked when they shouldn't AND they're being blocked by the wrong rule.

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2023

    Still works with your test

    secure-policy 1

    name IP192168255193

    from LAN1

    to ZyWALL

    sourceip IP192168255193

    action allow

    dns-cf-profile IP192168255193 log by-profile deactivate

    !

    secure-policy 2

    name IP192168255194

    from LAN1

    to ZyWALL

    dns-cf-profile IP192168255194 log by-profile deactivate

    action allow

    dns-content-filter profile IP192168255194

    category business

    category pornography

    category residential-ip-addresses

    !

    dns-content-filter profile IP192168255193

    category technical-business-forums

    category pornography

    category residential-ip-addresses

    category online-shopping

    I can get to www.jlindeberg.com on 192.168.255.194 but not 192.168.255.193 as well as swapping online-shopping to IP192168255194 and IP192168255193 not I can get to www.jlindeberg.com on 192.168.255.193 but not 192.168.255.194

    Maybe you double NAT so that the FLEX200 see one source IP?

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @itxnc

    Please confirm if the 'LAN to Any' and 'LAN to ZyWALL' policies have already been applied to the DNS Content Filter profile to ensure its proper functionality, as shown below:

    Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary
    edited September 2023

    I'll check for double NAT. Site has been in bridge mode forever, but Spectrum likes to randomly reset back to router mode.

    I can confirm the DNS profiles were applied to both the WAN and Zywall rules.

    The thing that's so weird is the logs show the block is happening from the 2nd rule, not the first, but when I turn logging on for the 1st rule, the client in question is clearly routing traffic through it.

    UPDATE: Definitely not double NAT - router has public IP. I just did a test from another non Win 11 machine to rule out something weird with Windows 11, which reporting user has. Added machine to the 'Mgmt' address group so Rule #1 applies. Site is blocked by Rule #2 according to logs. Turned logging on for Rule #1 and immediately get traffic logs from machine I just added. So it's the rule in use for this machine. This makes no sense. If Rule #1 is clearly active, why is Rule #2 being logged as the source of the block? It should never get that far. I even removed ALL filters from Rule #1 (LAN to WAN and LAN to Zywall) and it still happens - Rule #2 logged as reason for the block.

    I meant to restart the router last night but forgot. Will try to do that tonight.

    UPDATE2: On a whim, I went to a known porn site because that's blocked in both rules - and again the logging shows it blocked by Rule #2, NOT Rule #1. Not only for LAN to WAN but also the DNS query via LAN to Device. In other words the DNS query is logged as blocked by the SECOND LAN to Zywall rule when it should have been the first LAN to Zywall rule (the Mgmt one). It's so weird. Traffic that goes through will clearly log in Rule #1 but any blocked traffic logs in Rule #2. Also of note - the block page header says "Zyxel Security Cloud DNS FiLter Service Portal" Is this some weird fluke with the realtime cloud protection?

  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary

    Reboot of the router didn't help. Still getting blocked by the 2nd rule, even though the first rule is active and logs normal traffic for the machines in question.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @itxnc

    Could you provide a remote Web-GUI to us for further checking? We will send a private message to you later. Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Security Highlight