Sunfox
join:2003-12-14
Markham, ON
| ZW35 - remove "default" servers from DNS relay?
I currently have my Zywall 35 configured to use a DNS relay followed by a number of custom servers in the chain.
However how can I remove the "default" ISP DHCP-provided DNS servers from the end of the list? The entry is greyed out. The ZW35 insists on working its way through the entire list, and I want to remove the ISP-based ones as they force "search page" results on negative resolutions, and the only opt-out is browser cookie based (so utterly useless).
Any ideas? |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS | maybe via telnet?? Hopefully a CLI expert will stop by.  |
|
Otto58
join:2001-02-26
Germany | reply to Sunfox
Will You change the greyed list at Advanced > DNS > System > Name Server Record ?
Why You do not make changes at Advanced > DNS > DHCP ?
|
|
Sunfox
join:2003-12-14
Markham, ON
1 edit | Because at the DHCP screen I can either enable the ZW35's DNS Relay (causing all PCs to use the ZW for DNS resolution), or specify 3 DNS servers that will be passed directly to DHCP clients.
Yes, no longer using the ZW for DNS resolution *would* work around the issue, however that's not what I want. I need to specify several custom DNS entries for a piece of software I use, I would like to have more than 3 servers in the chain, and I want the ZW to cache results (giving me instant lookup on cached results).
Essentially the ZW is *forcing* me to have the ISP-specified DNS servers at the end of the relay, and I can see no logical reason why this is done. |
|
Bwuutje
join:2005-01-10 | No, it is not forcing you. You opted for dynamic ip, so you got what you asked for. If you don't "like" the ip/subnet/gateway/DNS, then set it to static and specify everything yourself.
Bwuutje. |
|
Sunfox
join:2003-12-14
Markham, ON
| I'm sorry, but I just can't see the logic of what you said.
Using the dynamic IP does not force you to use the assigned DNS servers. In fact many people would prefer to switch to other services, such as OpenDNS.
The ZW is perfectly happy to let me specify up to 3 custom DNS servers that DON'T include the DHCP-assigned servers. But if I want to make use of a more advanced option, by using the built-in DNS server so I can have more than 3 DNS servers, custom DNS entries, or simply have it cache DNS results, then suddenly it's as dumb as a sack of bricks and needlessly forces the DHCP-assigned servers to the bottom of the list.
Please give me a logical reason why this is so. |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
 ·TekSavvy Solutions..
1 edit | Download the CLI reference »ftp://ftp.zyxel.com/ZyWALL_35_UTM/cli_···TM_2.pdf
Check the DNS sections, you may be able to accomplish what you want.
Section 15.1.9 DNS Commands
--
openSUSE 11.1, KDE 4.2 |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS | reply to Sunfox
Reading the recent software release (XU8??) for one of the zywalls one of the latest fixes was for DNS problems, wonder if that is applicable here?? |
|
stefaanE
Premium
join:2002-07-10
Luxembourg
 ·Redwood Virtual
1 edit | reply to Sunfox
said by Sunfox  :But if I want to make use of a more advanced option, by using the built-in DNS server so I can have more than 3 DNS servers, custom DNS entries, or simply have it cache DNS results, then suddenly it's as dumb as a sack of bricks and needlessly forces the DHCP-assigned servers to the bottom of the list. You seem confused about how DNS works. Why would you want more than 3 or custom DNS caches? Don't forget that DNS resolution only uses the first cache if it responds. There is no cascade of queries - if the first cache returns a NXDOMAIN, the search stops. Thus, unless you have highly unreliable DNS caches, you should never need more than three entries, because #2 and #3 will only be queried when #1 does not respond (again, they will not be consulted when #1 returns a NXDOMAIN). As such, the presence of the ISP-supplied caches at the end of the list is merely a safeguard in case your own caches fail or are not available. As long as your caches work (that is, if they are proper recursive resolvers configured to resolve both internal and external addresses), the ISP's resolvers will never be queried.
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry
|
|
Sunfox
join:2003-12-14
Markham, ON
| That was, however, a minor point. What I really want are 1) custom DNS entries and 2) to utilize its built-in query cache. In which case I strongly prefer to use the ZW's DNS relay versus specifing direct DNS servers that each client should use.
Here's the problem. The ISP has one of those stupid "let's redirect all failed results to a fancy ad-filled webpage" DNS servers. It does NOT support disabling that feature (well, kind of, but it's browser cookie based so it's useless for me).
So, every failed DNS lookup ends up resolving to an IP because the ZW insists on sticking this at the end of the list. |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON | Did you try the CLI commands to solve your issue or not?
Not all things are configurable through web UI.
--
openSUSE 11.1, KDE 4.2 |
|
stefaanE
Premium
join:2002-07-10
Luxembourg
·Redwood Virtual
| reply to Sunfox
said by Sunfox :What I really want are 1) custom DNS entries and 2) to utilize its built-in query cache. In which case I strongly prefer to use the ZW's DNS relay versus specifing direct DNS servers that each client should use. The Z35 is a reasonable DNS forwarder (unless it suffers from the same bug that causes is little brother, the Z5, to crash under heavy DNS load), but not a DNS resolver. If you are not happy with your ISP's DNS resolvers, you can set up your own, or use a public DNS resolver like OpenDNS.
Trying to use the Z35 as a recursive resolver is not going to work, it simply doesn't incorporate the function (for starters, there isn't enough RAM on board). It has primitive caching functions, but needs a real resolver (BIND, djbdns/dnscache, MaraDNS et al) to perform the actual resolutions.
said by Sunfox :Here's the problem. The ISP has one of those stupid "let's redirect all failed results to a fancy ad-filled webpage" DNS servers. It does NOT support disabling that feature (well, kind of, but it's browser cookie based so it's useless for me). So, every failed DNS lookup ends up resolving to an IP because the ZW insists on sticking this at the end of the list. That's completely broken and a horribly obnoxious mis-feature, because not every DNS lookup concerns a Web page. Who are these clowns?
You have my profound sympathy.
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry |
|
Sunfox
join:2003-12-14
Markham, ON
1 edit | 
Failed Lookup | 
Yes, I'm sure the ads help. | 
Cookie based! |
> fhwef7893uhfr23978ry21374y512894812y4.com
Server: sunscreen
Address: 192.168.0.1
Name: fhwef7893uhfr23978ry21374y512894812y4.com
Addresses: 8.15.7.107, 63.251.179.17, 65.200.200.47
Everything resolves. So then you check out the page in a web browser and get the first screen. Note the tiny "About this Page" link, which goes to the second screen. Ah, a way to get rid of it, right?
Click the link and you get the third page. So it's per computer, per browser. Great. What about everything else? |
|
Sunfox
join:2003-12-14
Markham, ON
| Heh, I just noticed that the supposed "real" error page is in fact fake... really fake. Everything of course still resolves to an IP, you're just given a cut-and-paste version of the stock IE error page, complete with *missing* bitmap files and a link to turn on ad-laden error pages at the bottom. |
|
stefaanE
Premium
join:2002-07-10
Luxembourg
·Redwood Virtual
| That is so utterly broken it beggars belief. What a marvelous example of reverse navel-gazing (to have your head so far up your ass you can look through your bellybutton).
I had a look at OpenDNS, and they do the same thing:
Not only do they have an NXDOMAIN replacement just as Rogers, they fudge common domains such as Google. Good enough reason to avoid them as the plague and set up your own resolver.
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry |
|
Sunfox
join:2003-12-14
Markham, ON
1 edit | Well, I have a DNS provider I want to use. And only it. Alas due to the way the ZW35 works I can't get rid of the Rogers assigned servers from the chain, so I still have all of their negative attributes. The only workaround is to not use the DNS Relay at all, which means I can't set up local DNS resolution which a particular piece of software I use wants.
Edit: I did look at the CLI manual and I can't see anything that does exactly what I want. |
|
dslp_anon
@getinternet.no | reply to Sunfox
Not from a ZyWALL, but from a Zynos device.
lan index 1
lan dhcp dnsserver
Usage: dns [] |
|
stefaanE
Premium
join:2002-07-10
Luxembourg
·Redwood Virtual
| reply to Sunfox
said by Sunfox :Well, I have a DNS provider I want to use. And only it. Alas due to the way the ZW35 works I can't get rid of the Rogers assigned servers from the chain, so I still have all of their negative attributes. You're too pessimistic here. First, a DNS "chain" merely means that if the first resolver is not responding (and only if it is not responding), the second one will be consulted. As far as I know, when the Z35 is looking up IP addresses for its own use, or because it's functioning as a DNS relay, it will always use the first DNS resolver. Only if that one doesn't reply will it use the second, and so forth. I have traced DNS activity on a Z5 and I am describing what I saw just as much as what I know about the DNS protocol.
said by Sunfox : The only workaround is to not use the DNS Relay at all, which means I can't set up local DNS resolution which a particular piece of software I use wants. I did trace the behaviour of a Z5 used as a DNS relay, and it does correctly and consequently use the first DNS resolver when this one is available, and going (after the timeout) to the second one if the first one does not respond.
If you see no difference when defining your two DNS resolvers, then it could be that Rogers blocks port 53 when queries are not directed to their resolvers. Then even if you would set up your own resolvers, they would not work. Obviously, using the Z35 as a relay to resolvers outside the Rogers network would also not work.
FYI, here is a log of the CLI commands I used during the tests:
I changed the first DNS resolver to a non-existing address, and noticed that addresses were resolved but the response time was worse due to the timeout on the query to the non-existing host.
I looked at the output from the Z5 using Wireshark, which confirmed that the first DNS resolver is always queried first.
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry |
|
Sunfox
join:2003-12-14
Markham, ON
| I know the ZW35 is using the DNS servers I specify - as when I use OpenDNS I end up with their non-existant domain screen instead of Rogers - however when I use servers that correctly don't resolve non-existant domains it continues down the list until it gets to the stock Rogers one, which of course gives me those delightful screens.
I have dual WAN connections, cable via Rogers and DSL via a smaller company. The ZW35 separates that last greyed out entry into separate DNS servers for WAN1 and WAN2. Due to speed my primary WAN is WAN1 - however if I "disable" that, then the ZW35 changes to using WAN2's DNS server as the last in the chain, and non-existant domains no longer resolve. |
|
stefaanE
Premium
join:2002-07-10
Luxembourg
·Redwood Virtual
| said by Sunfox :I know the ZW35 is using the DNS servers I specify - as when I use OpenDNS I end up with their non-existant domain screen instead of Rogers - however when I use servers that correctly don't resolve non-existant domains it continues down the list until it gets to the stock Rogers one, which of course gives me those delightful screens. That is weird, and not something I see on my Z5 (as you can observe from my examples in this thread). The Z5 correctly returns NXDOMAIN when that is the answer returned by the resolver:
Querying other DNS resolvers in the list when a perfectly good answer (and NXDOMAIN is a perfectly good answer, as there is no reason another DNS resolver would return another answer) is so against the DNS specification that I cannot believe ZyXEL would have implemented that (plus, I do not observe on my router which runs very similar software).
said by Sunfox :I have dual WAN connections, cable via Rogers and DSL via a smaller company. The ZW35 separates that last greyed out entry into separate DNS servers for WAN1 and WAN2. Due to speed my primary WAN is WAN1 - however if I "disable" that, then the ZW35 changes to using WAN2's DNS server as the last in the chain, and non-existant domains no longer resolve. There should be no chain, unless your first and second entry are not declared as applicable to all domains. What do you get as result for the command
You should see "Domain Name" defined as "*", like below:
If the Z35 effectively re-queries the lower-listed DNS resolvers when it gets an NXDOMAIN from the first resolver, it is a major bug and you should ask ZyXEL to fix it. Can you trace the packets leaving the Z35 when you perform DNS queries?
Don't forget that DNS resolvers (as opposed to authoritative servers) do not have their own database, but query the DNS servers from the root servers down for the information. This is why the multiple DNS resolvers defined in a computer (e.g. in /etc/resolv.conf) do not define a cascade, but an order of query in case of non-availability. Because each and every resolver follows the same top (root)-down approach, they cannot obtain different results. If the first resolver returns NXDOMAIN, the second one has to return NXDOMAIN, unless one of them is mis-configured. This is why the Rogers (and OpenDNS) approach is so horribly broken - NXDOMAIN is not an error, but simply a reply that signals the queried-for object does not exist.
If your Z35 returns the Rogers catch-all address, when using Rogers as primary link, my guess is that Rogers intercepts all port 53 packets and re-directs them to their own servers. This is why it would be interesting to see if the Z35 actually queries the second and third resolvers when it gets an NXDOMAIN from the first one. I bet it's not doing this.
Take care,
Stefaan
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry |
|
