No default DNS for WAN1 on USG40

StefanLogar
StefanLogar Posts: 9
Friend Collector First Comment
edited April 2021 in Security
Hi, Experts!
I have problems concerning the default DNS for internal use of our USG40. In LAN everything works correct, DHCP-Clients get the correct DNS Servers, ...
But when I try to download firmware-files for APs or when calling a NSLOOKUP from the Diagnostic-Networkprogrammes, I get errors "Device can't connect to cloud servers" or ";; connection timed out; no servers could be reached"

WAN: fixed IP
DNS: 2 forwarders entered
in DNS under default I see N/A, on the EasyMode overview Screen I see DNS: N/A

Any help appreciated!

Accepted Solution

«1

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    @StefanLogar
    Welcome to Zyxel Community  B)
    If the USG Wan type is static IP it does not have DNS server by default, you need to set up DNS server for USG.
    Go to “Configuration > System > DNS > Domain Zone forward”, click “Add” button to add DNS server for name query.

  • @Zyxel_Cooldia, thank you for your reply, but, as mentioned in post 1, I have two entries for "Domain Zone Forwarder" - the DNS-Servers of my ISP. However, from the USG40 they seem not to be acknowledged.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2019
    If network tool shows “connection timed out; no servers could be reached” it means device not received reply from server side.
    Can you take a screen shot of your DNS zone forwarder setting?

  • Hi, @Zyxel_Stanley, thank you for your help!

    My DNS settings (sorry, it's in German):
    My situation is as follows:
    - USG40 is behind the main router from our ISP
    - we use L2TP/IPSec for VPN-Connections
    - the internal network is working as expected, except of DNS, which I additionally to System>DNS had to enter manually into the LAN1-DHCP configuration
    - Internet is without limitation reachable from any LAN1-client
    - from USG40 (terminal) I can ping any host in LAN1
    - from USG40 I can ping the fixed external IP of the ISP-Router (xxx.xxx.xxx.xxx) but NOT(!) the internal IP of it (192.168.2.254)
    - USG40 is connected to ISP-router at WAN1, IP 192.168.2.100/24

    Best regards and thank you for any hint!
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @StefanLogar  

    We have not saw this issue before due to your client can receive DNS result from server successfully.

    I will send you private message to check this issue much details.

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    - USG40 is connected to ISP-router at WAN1, IP 192.168.2.100/24
    The default lan2 ip address of USG40 is 192.168.2.1/24
    Do you change the default ip address of lan2 to any other ip network to avoid the conflict with WAN1 ?
     
  • Thank you, @lan31!
    Good idea, but here is my IP overview. It´s not the problem.

  • Hi to all!
    I have found the following symptom now:

    • All DNS queries from inside LAN1 are successful, as they have the source 192.168.2.100 (WAN1 IP).
    • DNS-queries from USG itself have timeouts, because they have the source xxx.xxx.xxx.xxx (ISP-Routers public IP)
    Maybe any new idea?
    Thanks i.a.
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    hi @StefanLogar
    is your external ISP Router (IP looks like AVM default IP) :) ?
    be carefull, ifh your USG40W and the ISP Router acting as SNAT Router device.
    With double SNAT you can have some side effects included :)

    I've a USG between LAN and DMZ Zone and behind a Layer7 Firewall, that is connected with the ISP Modem. ;)


    i have disabled SNAT (Source-NAT) but .... your ISP router require the information, about the subnets on your USG to send reply packages to the WAN1 interface on the USG.

    DNS -> normaly your ISP Router is acting as DNS forwarder, too.

    I've the ZYWALL DNS-Zone-forwarder pointed to my external ISP-Firewall IP trough WAN1.
    This is working well, and my ISP Firewall forward all packages to the known DNS Server from my ISP.

    Regards and Good luck to Austria ;)
    Christian
  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    @StefanLogar ,
    Does the public IP(88.xxx.xxx.xxx) bind with a PPPoE interface on USG40 ? 
    Or it's an 1-1 NAT set on ISP-router to map to wan1 of USG40 ?

Security Highlight