DNS Content Filter does not work with Tailscale on Flex 50H

Options
best_heygman
best_heygman Posts: 18 image  Freshman Member
Zyxel Certified Network Administrator - Security First Comment Friend Collector
in USG FLEX H Series

Hello, I was running into a quite weird issue, but I managed to dissect it somewhat now. The problem is, that the DNS Content Filter, as far as I understand it, is supposed to work in two ways:
1. Creates an invisible allow udp:53 to ZyWall when it is applied to a Security Policy, so that the ZyWall responds through this policy accordingly to the applied Content Filter.
2. Inspects and if necessary intercepts DNS packages when matched by the Security Policy on their way to another DNS Server.

The Problem is, when applying a DNS Content Filter to a Security Policy that is coming from the tailscale zone, only the intercept works (2.), but not the direct reply from the ZyWall (1.).

Here is an example from the Tailscale zone

First, dns lookup from the tailscale device (which shouldn't reply the correct ip, but it does):
hege@nx1 :~$ host protonvpn.com
protonvpn.com has address 185.159.159.140
protonvpn.com mail is handled by 20 mail.proton.ch.
protonvpn.com mail is handled by 10 mail.protonmail.ch.

Now, dns lookup while explicitly using the ZyWall as dns server (also shouldn't reply the correct ip, but it does):
hege@nx1 :~$ host protonvpn.com 100.106.244.18
Using domain server:
Name: 100.106.244.18
Address: 100.106.244.18#53
Aliases:protonvpn.com has address 185.159.159.140
protonvpn.com mail is handled by 10 mail.protonmail.ch.
protonvpn.com mail is handled by 20 mail.proton.ch.

Next making a dns request to 8.8.8.8 (which get's correctly intercepted by the ZyWall, as it should be):
hege@nx1 :~$ host protonvpn.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:protonvpn.com has address 44.197.99.235
Host protonvpn.com not found: 2(SERVFAIL)
Host protonvpn.com not found: 2(SERVFAIL)




The DNS Content Filter works well with normal zones, I have tested it with my dmz zone (I blocked General news, because I hoped it doesn't have an impact on the dmz while testing):
The same three tests as above, but now from my dmz zone. Everything get's correctly blocked, as it should be:
[hege@sx1 ~]$ host cnbc.com
cnbc.com has address 44.197.99.235
Host cnbc.com not found: 2(SERVFAIL)
Host cnbc.com not found: 2(SERVFAIL)
[hege@sx1 ~]$ host cnbc.com 192.168.188.1
Using domain server:
Name: 192.168.188.1
Address: 192.168.188.1#53
Aliases:

cnbc.com has address 44.197.99.235
Host cnbc.com not found: 2(SERVFAIL)
Host cnbc.com not found: 2(SERVFAIL)
[hege@sx1 ~]$ host cnbc.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

cnbc.com has address 44.197.99.235
Host cnbc.com not found: 2(SERVFAIL)
Host cnbc.com not found: 2(SERVFAIL)



It seems there is a bug somewhere in the Flex H firmware. It would be very nice if it get's fixed.

Accepted Solution

All Replies

  • best_heygman
    best_heygman Posts: 18 image  Freshman Member
    Zyxel Certified Network Administrator - Security First Comment Friend Collector

    Well, for now, I found a workaround.
    The immediate idea would be to add a Security Policy that is Tailscale → ZyWall with service DNS and add the Content Filter to that Policy. But the webui doesn't allow you to do that. It hides the option when you are creating a → ZyWall Policy.
    BUT, you can just create a Security Policy Tailscale → Tailscale, add the Content Filter there, save it, edit it again and just change it to Tailscale → ZyWall and save it. It retains the Content Filter and now it actually works. Funny how I had to use one bug to work around another bug :)

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,367 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @best_heygman

    Could you share your configuration file with us so we can better replicate this issue?

    Zyxel Melen


  • best_heygman
    best_heygman Posts: 18 image  Freshman Member
    Zyxel Certified Network Administrator - Security First Comment Friend Collector

    Hello @Zyxel_Melen

    sure, but I don't want to post it in the forum. I have enabled the Zyxel support access in Nebula, if that helps.

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,367 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @best_heygman

    Our team has addressed this issue. However, we want to clarify your Tailscale settings and device info.

    1. Which linux do you use and what version is it?
    2. What's your Tailscale DNS setting? Is the magic DNS enabled or disabled?

    Thanks!

    Zyxel Melen


  • best_heygman
    best_heygman Posts: 18 image  Freshman Member
    Zyxel Certified Network Administrator - Security First Comment Friend Collector

    Sure,
    1. The external device from where I used Tailscale runs Fedora 43. Tailscale is installed via the Fedora repository. The Tailscale Version in the Fedora 43 repositories was, and still is, 1.84.1

    2. Magic DNS is enabled and I have added the Flex 50H's IP address as a global nameserver and I have activated "override DNS servers" so that the devices use the Flex 50H via Tailscale as DNS server instead of the local one in their network. The Tailscale DNS settings are correct, because the DNS Content Filter works with this security-policy added:
    rule

            name DNS_Content_Filter_Workaround

            enabled true

            from Tailscale

            to ZyWALL

            user any

            schedule any

            source-ip any

            destination-ip any

            service DNS

            action allow

            logging no

            content-filter-profile IT_to_Internet

            ssl-inspection-profile none

            app-patrol-profile none


    But not with the security-policy below alone, which should work, according to the documentation, because it should add implicitly a rule like the one above, which apparently doesn't happen:
    rule

            name Tailscale_to_Internet

            enabled true

            from Tailscale

            to WAN

            user any

            schedule any

            source-ip any

            destination-ip any

            service any

            action allow

            logging no

            content-filter-profile IT_to_Internet

            ssl-inspection-profile none

            app-patrol-profile IT-to-Internet


    This is the part in the documentation I am referring to:
    The Zyxel Device inspect DNS queries made by users on traffic flows where the security policy has a Content Filter profile applied. When you apply a Content Filter profile to a security policy, the Zyxel Device automatically adds a hidden ‘To ZyWALL’ rule for DNS-UDP service (port 53), so that DNS queries in outgoing traffic in the security policy can also be scanned for prohibited websites.

    I hope the additional Information is helpful to you.

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,367 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @best_heygman

    Thanks for the details. After investigation, this fix ETA of this issue is Q2 2026. Please follow the Security Gateway New Release - Zyxel Community category for the release news.

    Zyxel Melen


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)