Zywall 110 extrange behavior with subdomain
Freshman Member
Hello,
The firewall is running V4.73(AAAA.2).
We have a domain (example.es), with the appropiate DNS entries configured at our registrar for our website:
IN A example.es x.x.x.x
IN A www.example.es x.x.x.x
The issue is that in the office, we have some virtual machines (running behind a proxy) for which we want to use subdomains of the company's domain: vm1.dev.example.es, and so on.
So we created CNAMES in the Zywall DNS configuration pointing to the local A entry for the server where those vms are:
vm1.dev.example.es CNAME devsrv.company.local
(The firewall domain is configured as example.local)
These CNAMES are working great, but they are, for some reasong, rendering the zywall unable to resolve "example.es". If the delete the CNAME, the zywall is then again able to resolve "example.es".
Some pictures are attached with the actual configuration, real domain and DNS queries results made from the zywall.
CNAME and dns lookup with cname:
It's like the zywall is stating that iself is the authoritative server for the "example.es" (aa flag) ant it's saying it doesn't exist. I don't understand why.
No CNAME and dns query from the zywall (no aa for example.es this time):
Thanks!
Accepted Solution
-
Hi @jaalsa ,
System will have such DNS zone file when you have kind of CNAME record, so you are right firewall act as NS itself this time. So, you can try to add an A record for "aptica.es" A 79.139.120.30 in GUI as workaround.
Please be aware that the Zywall 110 model has reached its End of Life (EOL) status, which means our support for this model will be limited. For information on alternative options, you also can refer to the available models:
Judy
See how you've made an impact in Zyxel Community this year!
0
Zyxel Employee
All Replies
-
Hi @jaalsa ,
System will have such DNS zone file when you have kind of CNAME record, so you are right firewall act as NS itself this time. So, you can try to add an A record for "aptica.es" A 79.139.120.30 in GUI as workaround.
Please be aware that the Zywall 110 model has reached its End of Life (EOL) status, which means our support for this model will be limited. For information on alternative options, you also can refer to the available models:
Judy
See how you've made an impact in Zyxel Community this year!
0 -
Thank you very much.
I have tested too removing the CNAME and creating a
x.dev.aptica.es IN A internal_ip
And the same happens, the firewall puts itself as authoritative over aptica.es.
We have implemented the suggested workaround successfully. Thanks.
I'd like to ask: is this because of the zywall's dns implementation? We are considering upgrading the zywall to a newer one, is this issue resolved on them?
Thanks!0 -
Hi @jaalsa ,
This is the current DNS implementation across all Zyxel firewalls. Please use our suggested solution to meet your requirements.
Judy
See how you've made an impact in Zyxel Community this year!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight
