ZW35 - remove "default" servers from DNS relay?
Links: home · search · speed test · login · more ·
Links: Reply New Topic
Forums » Hardware By Brand » ZyXEL » ZW35 - remove "default" servers from DNS relay?
page: 1 · 2
Sunfox @ 22nd Oct 01:06AM:
ZW35 - remove "default" servers from DNS relay?
I currently have my Zywall 35 configured to use a DNS relay followed by a number of custom servers in the chain.
However how can I remove the "default" ISP DHCP-provided DNS servers from the end of the list? The entry is greyed out. The ZW35 insists on working its way through the entire list, and I want to remove the ISP-based ones as they force "search page" results on negative resolutions, and the only opt-out is browser cookie based (so utterly useless).
Any ideas?
reply
Anav @ 22nd Oct 11:20AM:
Re: ZW35 - remove "default" servers from DNS relay?
maybe via telnet?? Hopefully a CLI expert will stop by. :-)
reply
Otto58 @ 22nd Oct 12:16PM:
Re: ZW35 - remove "default" servers from DNS relay?
Will You change the greyed list at Advanced > DNS > System > Name Server Record ?
Why You do not make changes at Advanced > DNS > DHCP ?
reply
Sunfox @ 23rd Oct 03:47AM:
Re: ZW35 - remove "default" servers from DNS relay?
Because at the DHCP screen I can either enable the ZW35's DNS Relay (causing all PCs to use the ZW for DNS resolution), or specify 3 DNS servers that will be passed directly to DHCP clients.
Yes, no longer using the ZW for DNS resolution *would* work around the issue, however that's not what I want. I need to specify several custom DNS entries for a piece of software I use, I would like to have more than 3 servers in the chain, and I want the ZW to cache results (giving me instant lookup on cached results).
Essentially the ZW is *forcing* me to have the ISP-specified DNS servers at the end of the relay, and I can see no logical reason why this is done.
reply
Bwuutje @ 24th Oct 09:33AM:
Re: ZW35 - remove "default" servers from DNS relay?
No, it is not forcing you. You opted for dynamic ip, so you got what you asked for. If you don't "like" the ip/subnet/gateway/DNS, then set it to static and specify everything yourself.
Bwuutje.
reply
Sunfox @ 28th Oct 08:52AM:
Re: ZW35 - remove "default" servers from DNS relay?
I'm sorry, but I just can't see the logic of what you said.
Using the dynamic IP does not force you to use the assigned DNS servers. In fact many people would prefer to switch to other services, such as OpenDNS.
The ZW is perfectly happy to let me specify up to 3 custom DNS servers that DON'T include the DHCP-assigned servers. But if I want to make use of a more advanced option, by using the built-in DNS server so I can have more than 3 DNS servers, custom DNS entries, or simply have it cache DNS results, then suddenly it's as dumb as a sack of bricks and needlessly forces the DHCP-assigned servers to the bottom of the list.
Please give me a logical reason why this is so.
reply
Brano @ 28th Oct 09:10AM:
Re: ZW35 - remove "default" servers from DNS relay?
Download the CLI reference »ftp://ftp.zyxel.com/ZyWALL_35_UTM/cli_···TM_2.pdf
Check the DNS sections, you may be able to accomplish what you want.
Section 15.1.9 DNS Commands
--
openSUSE 11.1, KDE 4.2
reply
Anav @ 28th Oct 10:46AM:
Re: ZW35 - remove "default" servers from DNS relay?
Reading the recent software release (XU8??) for one of the zywalls one of the latest fixes was for DNS problems, wonder if that is applicable here??
reply
stefaanE @ 30th Oct 05:49AM:
Re: ZW35 - remove "default" servers from DNS relay?
said by Sunfox :
But if I want to make use of a more advanced option, by using the built-in DNS server so I can have more than 3 DNS servers, custom DNS entries, or simply have it cache DNS results, then suddenly it's as dumb as a sack of bricks and needlessly forces the DHCP-assigned servers to the bottom of the list.
You seem confused about how DNS works. Why would you want more than 3 or custom DNS caches? Don't forget that DNS resolution only uses the first cache if it responds. There is no cascade of queries - if the first cache returns a NXDOMAIN, the search stops. Thus, unless you have highly unreliable DNS caches, you should never need more than three entries, because #2 and #3 will only be queried when #1 does not respond (again, they will not be consulted when #1 returns a NXDOMAIN). As such, the presence of the ISP-supplied caches at the end of the list is merely a safeguard in case your own caches fail or are not available. As long as your caches work (that is, if they are proper recursive resolvers configured to resolve both internal and external addresses), the ISP's resolvers will never be queried.
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry
reply
Sunfox @ 5th Nov 01:36AM:
Re: ZW35 - remove "default" servers from DNS relay?
That was, however, a minor point. What I really want are 1) custom DNS entries and 2) to utilize its built-in query cache. In which case I strongly prefer to use the ZW's DNS relay versus specifing direct DNS servers that each client should use.
Here's the problem. The ISP has one of those stupid "let's redirect all failed results to a fancy ad-filled webpage" DNS servers. It does NOT support disabling that feature (well, kind of, but it's browser cookie based so it's useless for me).
So, every failed DNS lookup ends up resolving to an IP because the ZW insists on sticking this at the end of the list.
reply
Brano @ 5th Nov 06:03AM:
Re: ZW35 - remove "default" servers from DNS relay?
Did you try the CLI commands to solve your issue or not?
Not all things are configurable through web UI.
--
openSUSE 11.1, KDE 4.2
reply
stefaanE @ 5th Nov 04:10PM:
Re: ZW35 - remove "default" servers from DNS relay?
said by Sunfox :
What I really want are 1) custom DNS entries and 2) to utilize its built-in query cache. In which case I strongly prefer to use the ZW's DNS relay versus specifing direct DNS servers that each client should use.
The Z35 is a reasonable DNS forwarder (unless it suffers from the same bug that causes is little brother, the Z5, to crash under heavy DNS load), but not a DNS resolver. If you are not happy with your ISP's DNS resolvers, you can set up your own, or use a public DNS resolver like OpenDNS.
Trying to use the Z35 as a recursive resolver is not going to work, it simply doesn't incorporate the function (for starters, there isn't enough RAM on board). It has primitive caching functions, but needs a real resolver (BIND, djbdns/dnscache, MaraDNS et al) to perform the actual resolutions.
said by Sunfox :
Here's the problem. The ISP has one of those stupid "let's redirect all failed results to a fancy ad-filled webpage" DNS servers. It does NOT support disabling that feature (well, kind of, but it's browser cookie based so it's useless for me).
So, every failed DNS lookup ends up resolving to an IP because the ZW insists on sticking this at the end of the list.
That's completely broken and a horribly obnoxious mis-feature, because not every DNS lookup concerns a Web page. Who are these clowns?
You have my profound sympathy.
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry
reply
Sunfox @ 5th Nov 06:23PM:
Re: ZW35 - remove "default" servers from DNS relay?
Tell me about it... for example:
> fhwef7893uhfr23978ry21374y512894812y4.com
Server: sunscreen
Address: 192.168.0.1
Name: fhwef7893uhfr23978ry21374y512894812y4.com
Addresses: 8.15.7.107, 63.251.179.17, 65.200.200.47
Everything resolves. So then you check out the page in a web browser and get the first screen. Note the tiny "About this Page" link, which goes to the second screen. Ah, a way to get rid of it, right?
Click the link and you get the third page. So it's per computer, per browser. Great. What about everything else?
Failed Lookup |
Yes, I'm sure the ads help. |
Cookie based! |
Sunfox @ 6th Nov 12:23AM:
Re: ZW35 - remove "default" servers from DNS relay?
Heh, I just noticed that the supposed "real" error page is in fact fake... really fake. Everything of course still resolves to an IP, you're just given a cut-and-paste version of the stock IE error page, complete with *missing* bitmap files and a link to turn on ad-laden error pages at the bottom.
reply
stefaanE @ 6th Nov 03:46AM:
Re: ZW35 - remove "default" servers from DNS relay?
That is so utterly broken it beggars belief. What a marvelous example of reverse navel-gazing (to have your head so far up your ass you can look through your bellybutton).
I had a look at OpenDNS, and they do the same thing:
Not only do they have an NXDOMAIN replacement just as Rogers, they fudge common domains such as Google. Good enough reason to avoid them as the plague and set up your own resolver.
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry
reply
Sunfox @ 7th Nov 03:21AM:
Re: ZW35 - remove "default" servers from DNS relay?
Well, I have a DNS provider I want to use. And only it. Alas due to the way the ZW35 works I can't get rid of the Rogers assigned servers from the chain, so I still have all of their negative attributes. The only workaround is to not use the DNS Relay at all, which means I can't set up local DNS resolution which a particular piece of software I use wants.
Edit: I did look at the CLI manual and I can't see anything that does exactly what I want.
reply
anon @ 7th Nov 07:14AM:
Re: ZW35 - remove "default" servers from DNS relay?
Not from a ZyWALL, but from a Zynos device.
lan index 1
lan dhcp dnsserver
Usage: dns []
reply
stefaanE @ 8th Nov 10:17AM:
Re: ZW35 - remove "default" servers from DNS relay?
said by Sunfox :
Well, I have a DNS provider I want to use. And only it. Alas due to the way the ZW35 works I can't get rid of the Rogers assigned servers from the chain, so I still have all of their negative attributes.
You're too pessimistic here. First, a DNS "chain" merely means that if the first resolver is not responding (and only if it is not responding), the second one will be consulted. As far as I know, when the Z35 is looking up IP addresses for its own use, or because it's functioning as a DNS relay, it will always use the first DNS resolver. Only if that one doesn't reply will it use the second, and so forth. I have traced DNS activity on a Z5 and I am describing what I saw just as much as what I know about the DNS protocol.
said by Sunfox :
The only workaround is to not use the DNS Relay at all, which means I can't set up local DNS resolution which a particular piece of software I use wants.
I did trace the behaviour of a Z5 used as a DNS relay, and it does correctly and consequently use the first DNS resolver when this one is available, and going (after the timeout) to the second one if the first one does not respond.
If you see no difference when defining your two DNS resolvers, then it could be that Rogers blocks port 53 when queries are not directed to their resolvers. Then even if you would set up your own resolvers, they would not work. Obviously, using the Z35 as a relay to resolvers outside the Rogers network would also not work.
FYI, here is a log of the CLI commands I used during the tests:
I changed the first DNS resolver to a non-existing address, and noticed that addresses were resolved but the response time was worse due to the timeout on the query to the non-existing host.
I looked at the output from the Z5 using Wireshark, which confirmed that the first DNS resolver is always queried first.
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry
reply
Sunfox @ 8th Nov 08:02PM:
Re: ZW35 - remove "default" servers from DNS relay?
I know the ZW35 is using the DNS servers I specify - as when I use OpenDNS I end up with their non-existant domain screen instead of Rogers - however when I use servers that correctly don't resolve non-existant domains it continues down the list until it gets to the stock Rogers one, which of course gives me those delightful screens.
I have dual WAN connections, cable via Rogers and DSL via a smaller company. The ZW35 separates that last greyed out entry into separate DNS servers for WAN1 and WAN2. Due to speed my primary WAN is WAN1 - however if I "disable" that, then the ZW35 changes to using WAN2's DNS server as the last in the chain, and non-existant domains no longer resolve.
reply
stefaanE @ 9th Nov 03:53PM:
Re: ZW35 - remove "default" servers from DNS relay?
said by Sunfox :
I know the ZW35 is using the DNS servers I specify - as when I use OpenDNS I end up with their non-existant domain screen instead of Rogers - however when I use servers that correctly don't resolve non-existant domains it continues down the list until it gets to the stock Rogers one, which of course gives me those delightful screens.
That is weird, and not something I see on my Z5 (as you can observe from my examples in this thread). The Z5 correctly returns NXDOMAIN when that is the answer returned by the resolver:
Querying other DNS resolvers in the list when a perfectly good answer (and NXDOMAIN is a perfectly good answer, as there is no reason another DNS resolver would return another answer) is so against the DNS specification that I cannot believe ZyXEL would have implemented that (plus, I do not observe on my router which runs very similar software).
said by Sunfox :
I have dual WAN connections, cable via Rogers and DSL via a smaller company. The ZW35 separates that last greyed out entry into separate DNS servers for WAN1 and WAN2. Due to speed my primary WAN is WAN1 - however if I "disable" that, then the ZW35 changes to using WAN2's DNS server as the last in the chain, and non-existant domains no longer resolve.
There should be no chain, unless your first and second entry are not declared as applicable to all domains. What do you get as result for the command
You should see "Domain Name" defined as "*", like below:
If the Z35 effectively re-queries the lower-listed DNS resolvers when it gets an NXDOMAIN from the first resolver, it is a major bug and you should ask ZyXEL to fix it. Can you trace the packets leaving the Z35 when you perform DNS queries?
Don't forget that DNS resolvers (as opposed to authoritative servers) do not have their own database, but query the DNS servers from the root servers down for the information. This is why the multiple DNS resolvers defined in a computer (e.g. in /etc/resolv.conf) do not define a cascade, but an order of query in case of non-availability. Because each and every resolver follows the same top (root)-down approach, they cannot obtain different results. If the first resolver returns NXDOMAIN, the second one has to return NXDOMAIN, unless one of them is mis-configured. This is why the Rogers (and OpenDNS) approach is so horribly broken - NXDOMAIN is not an error, but simply a reply that signals the queried-for object does not exist.
If your Z35 returns the Rogers catch-all address, when using Rogers as primary link, my guess is that Rogers intercepts all port 53 packets and re-directs them to their own servers. This is why it would be interesting to see if the Z35 actually queries the second and third resolvers when it gets an NXDOMAIN from the first one. I bet it's not doing this.
Take care,
Stefaan
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry
reply
Sunfox @ 9th Nov 06:49PM:
Re: ZW35 - remove "default" servers from DNS relay?
I seem to be having a problem getting to the CLI. I connect via telnet, log in using my password, and I get a numerical menu selection screen like an old BBS.
I tried using the login values from the CLI manual (admin / 1234) and it doesn't accept them, just the one I use for web management.
reply
Brano @ 9th Nov 07:11PM:
Re: ZW35 - remove "default" servers from DNS relay?
said by Sunfox :
I seem to be having a problem getting to the CLI. I connect via telnet, log in using my password, and I get a numerical menu selection screen like an old BBS.
Then go to menu 24 then to 8.
--
openSUSE 11.1, KDE 4.2
reply
Sunfox @ 9th Nov 11:22PM:
Re: ZW35 - remove "default" servers from DNS relay?
Thanks Brano - I didn't see that in the CLI manual.
Well, here's what I get...
And here's what I get from the other command:
I don't know of any way I could check if the Zyxel is actually querying the other addresses. But here's some other stuff I can do on my computer that tends to make me think that the ISP isn't messing around with DNS queries:
Edit: I should note that if I put OpenDNS' servers into a user-defined slot, I get THEIR error screen instead of Rogers. This includes putting them after servers that properly return NXDOMAIN. So, this would make me think that the ZW is going through every DNS server in the chain when it receives an NXDOMAIN unless it receives a positive result.
DNS Configuration |
Sunfox @ 13th Nov 09:52PM:
Re: ZW35 - remove "default" servers from DNS relay?
So is the general concensus that the ZW should not keep going through servers when it receives an NXDOMAIN, and that this is a bug?
I had assumed the way it was operating was standard procedure, which is why I wanted to delete the last server in the chain, but if it should never get to them in the first place...
reply
Thank you for using lo-fi dslreports.com - report bugs
© 99-2009 silver matrix LLC