Q: Zone based firewall (with local-zone) and DNS forwarding service


#1

Hi !

I have question regarding DNS forwarding service.

4 zone setup (WAN, DMZ, LAN) + local router zone.

set zone-policy zone ZONE_ROUTER_LOCAL local-zone

All traffic enabled from local-zone to all other zones.
All trafiic enabled from LAN to local-zone
DNS forwarding listen interfaces DMZ and LAN.

Web page loading from LAN time to time have long-time lags because of DNS forwarding problems. This is clearly problem with DNS - ping 8.8.8.8 (or target servers) shows no problems or timeouts. Additionally, changing DNS server on LAN PCs from 192.168.0.1 to 8.8.8.8 eliminates page loading lags.

I suspect this is because DNS forwarding service treats router with local zone defined as device with separate interface. Please correct if I’m wrong here.

set service dns forwarding listen-on lo

also eliminates lags and delays with web page loading from LAN PCs.

Another question - I’m going to setup my own DNS server on DMZ with DNAT from WAN to DMZ. Will this DNAT interfere with DNS forwarding service, should I remove eth2 DMZ from “listen-on” interfaces?

I would prefer to know internals to make it work now and with future versions rather to apply quick hacks.

Thanks in advance.