Bridge DNS forwarding problem

Options
PeterUK
PeterUK Posts: 4,411 image  Guru Member
250 Answers 2500 Comments Friend Collector Eighth Anniversary
edited November 2025 in Security

VPN300 V5.37(ABFC.2)
USG FLEX 200 V5.41(ABUI.0)

So I think sadly nothing can be likely done for the VPN300 thats EOL but I might be able to workaround that but the problem happens on FLEX 200 so I be thankful if this could be fixed.

The issue I'm seeing is I have a bind server with WAN IP does lookup from root servers you can see here the from DNS server a DNS query is sent in this case sig.cloud.zyxel.com with transaction ID 0x8082 no reply

DNS server.png

Then a view from DMZ side of the Bridge

USGDMZ.png

Then a view from WAN side of the Bridge which you can see a reply but FLEX200 didn't pass it on over the DMZ

USGWAN.png

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,533 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @PeterUK

    Could you share the topology and packet flow of this scenario? And we also need the remote access to VPN300 and FLEX200 to check this issue.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,411 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    Ok Melen you can have remote access to VPN300 and FLEX200 to check this issue I was hoping you could of done internal testing given its DNS and how important it is. My guess is the FQDN system might be causing this problem?

    simple topology

    internet > VPN300 > FLEX200 > DNS server 

  • PeterUK
    PeterUK Posts: 4,411 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    update on problem for anyone following

    Now with a simple setup DNS server on VLAN55 to SNAT SFP WAN the cause looks to be if you have any WILDCARD FQDN in use this cause some DNS replies to not be forwarded from WAN to LAN and can happen to any query for LAN to WAN that a reply may not make it from WAN to LAN.

  • PeterUK
    PeterUK Posts: 4,411 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    Update on which might be the issue?

    Bind adds this additional records which USG should ignore when Snooping DNS replies but maybe at times its not doing this correctly?

    Screenshot 2026-01-17 161513.png
  • PeterUK
    PeterUK Posts: 4,411 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    It seems the update to V5.42 has made this issue worse😕

  • PeterUK
    PeterUK Posts: 4,411 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited February 6

    Siprep …its really…really bad like from somewhat useable to somewhat unusable.

    like I my bind can't DNS

    e11290.dspg.akamaiedge.net

    It sand the DNS out the reply comes back but the FLEX200 will not forward the answer.

    I've had to do a hack which the XS1930-10 can do but limited vs what another switch can do so that the DNS server is a bridge by FLEX200 WAN side and DMZ side then have the XS1930-10 use the "Send the packet to the mirror port" for UDP source port 53 to go around the the FLEX200 in a bypass.

    This now needs fixing please.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)