DNS Content Filter does not work with Tailscale on Flex 50H

best_heygman · December 9

Hello, I was running into a quite weird issue, but I managed to dissect it somewhat now. The problem is, that the DNS Content Filter, as far as I understand it, is supposed to work in two ways:
1. Creates an invisible allow udp:53 to ZyWall when it is applied to a Security Policy, so that the ZyWall responds through this policy accordingly to the applied Content Filter.
2. Inspects and if necessary intercepts DNS packages when matched by the Security Policy on their way to another DNS Server.

The Problem is, when applying a DNS Content Filter to a Security Policy that is coming from the tailscale zone, only the intercept works (2.), but not the direct reply from the ZyWall (1.).

Here is an example from the Tailscale zone

First, dns lookup from the tailscale device (which shouldn't reply the correct ip, but it does):
hege@nx1 :~$ host protonvpn.com
protonvpn.com has address 185.159.159.140
protonvpn.com mail is handled by 20 mail.proton.ch.
protonvpn.com mail is handled by 10 mail.protonmail.ch.

Now, dns lookup while explicitly using the ZyWall as dns server (also shouldn't reply the correct ip, but it does):
hege@nx1 :~$ host protonvpn.com 100.106.244.18
Using domain server:
Name: 100.106.244.18
Address: 100.106.244.18#53
Aliases:protonvpn.com has address 185.159.159.140
protonvpn.com mail is handled by 10 mail.protonmail.ch.
protonvpn.com mail is handled by 20 mail.proton.ch.

Next making a dns request to 8.8.8.8 (which get's correctly intercepted by the ZyWall, as it should be):
hege@nx1 :~$ host protonvpn.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:protonvpn.com has address 44.197.99.235
Host protonvpn.com not found: 2(SERVFAIL)
Host protonvpn.com not found: 2(SERVFAIL)

The DNS Content Filter works well with normal zones, I have tested it with my dmz zone (I blocked General news, because I hoped it doesn't have an impact on the dmz while testing):
The same three tests as above, but now from my dmz zone. Everything get's correctly blocked, as it should be:
[hege@sx1 ~]$ host cnbc.com
cnbc.com has address 44.197.99.235
Host cnbc.com not found: 2(SERVFAIL)
Host cnbc.com not found: 2(SERVFAIL)
[hege@sx1 ~]$ host cnbc.com 192.168.188.1
Using domain server:
Name: 192.168.188.1
Address: 192.168.188.1#53
Aliases:

cnbc.com has address 44.197.99.235
Host cnbc.com not found: 2(SERVFAIL)
Host cnbc.com not found: 2(SERVFAIL)
[hege@sx1 ~]$ host cnbc.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

cnbc.com has address 44.197.99.235
Host cnbc.com not found: 2(SERVFAIL)
Host cnbc.com not found: 2(SERVFAIL)

It seems there is a bug somewhere in the Flex H firmware. It would be very nice if it get's fixed.

best_heygman · December 9

Well, for now, I found a workaround.
The immediate idea would be to add a Security Policy that is Tailscale → ZyWall with service DNS and add the Content Filter to that Policy. But the webui doesn't allow you to do that. It hides the option when you are creating a → ZyWall Policy.
BUT, you can just create a Security Policy Tailscale → Tailscale, add the Content Filter there, save it, edit it again and just change it to Tailscale → ZyWall and save it. It retains the Content Filter and now it actually works. Funny how I had to use one bug to work around another bug :)