So, the issue that was documented on the Vigor 2830 is happening on the 2860 with firmware 3.7.3.
In addition to the issue with TXT records, I am also unable to lookup SOA records. It's possible that there is also an issue with EDNS0, but with these other issues happening it's hard to tell. Why the 2860 is filtering DNS when the DNS Filter is turned off, I do not know.

I've been in contact with Draytek UK support for a separate IPv6 firewall issue* and have now mentioned this DNS issue in the same ticket to them, but I thought I'd post here too, since they're very slow to reply.

I don't expect anyone here to be able to help with these issues, but I felt it was worth putting here for other people that are considering buying the 2860. If they ever reply, I'll update this with new info.

*Internal router services exposed on public IP addresses, with no way to disable it. The services in question were the LDP (port 515, printer) service and the management interface. Printer should never be public and Remote Management and SSL VPN (port 443) are disabled, so those ports should not show up on a public address.

So, for anyone using IPv6 on this router or having issues with the router filtering DNS (which cannot be turned off) firmware 3.7.3.3 addresses some of the issues.

• Router services on their default ports are no longer visible from the Internet over IPv6. However, services not on their default port are still exposed to the Internet. Easily testable by changing the default port of a service. (eg. Change SSL VPN from 443 to 444 and re-portscan). Do note that simply having a service on the router "disabled" means nothing if you have changed the port that the service runs on. Disabling a service on the Vigor 2860 (and probably other Draytek routers) appears to mean that a firewall rule is put in place to prevent access to the default port associated with the service. IPv4 works as expected and the services are never visible as long as they are "disabled".



• The DNS interception situation is improved but not fixed. With UDP DNS requests, TXT records can be looked again but SOA records cannot be looked up. Querying over TCP for SOA works without issue. From this I believe that the 2860 is intercepting UDP DNS traffic, regardless of whether the "DNS Filter" setting is turned on or not. For some reason they don't filter TCP DNS traffic (or their TCP filter isn't broken). The issues with DNS appear to completely break DNSSEC. Using tshark to capture DNS packets and wireshark to view the capture, we can see that SOA queries go out but never return. I haven't captured any DNSSEC queries, but I'm sure the result would be similar.

My next step is probably going to be to setup a resolver on a VPS somewhere so that I can see what the packets look like after they have passed through the Vigor 2860. I'm expecting to see one of a few outcomes.

• The packets are horribly mangled by the Vigor 2860 filter and the remote DNS servers never bother replying.


• The packets are not mangled and the remote server responds, but the Vigor 2860 drops the response for some reason.


• The packets are mangled, the remote server responds with a "format error", the Vigor 2860 drops the response for some reason.


• The Vigor 2860 simply drops the packets immediately and they never make it out onto the Internet.

I'll update this thread again when I have more to report.

So after capturing some more packets with tshark on boths sides (DNS client behind the Vigor 2860, recursive resolver on the Internet) and looking over them with wireshark it appears that:

• Packets are not mangled.


• DNS resolvers on the Internet do respond properly to SOA and other RR queries.


• Replies never make it back to the machine that performed the query.

So, the Vigor 2860 is just dropping the replies for certain RR queries for an unknown reason without logging why.

Have not involved with VPN & all that apart adsl/vdsl parts but are you aware about this note ?
http://www.draytek.net.nz/draytek/support/vigor2830-upgrading-to-3-6-4/
http://www.draytek.co.uk/archive/kb/kb_sslvpn_troubleshooting.html

Another way which may worth to try for dns at LAN >> General Setup>>details page>>dns server ip ... to add manually your isp's or the ones you prefer, in that section if will help

I'm not sure how much I'm really allowed to say about this, but there was no NDA thing in the email so I'm guessing it's OK.
Draytek provided me with a beta firmware for testing which seems to fix the DNS interception issues. This means that resolvers behind the Vigor 2860 can now properly receive answers for any DNS query that they perform. In the cases I was testing this means that my resolvers behind the 2860 can now properly query for SOA records and perform DNSSEC validation.

DNS queries directed at the 2860 itself (so, queries that use the 2860's DNS proxy/resolver) are still subject to this filtering. Hopefully this will be fixed soon too.

I am experiencing this problem too.

Our Active Directory servers which run Windows Server 2012 have always forwarded to Google DNS 8.8.8.8 and 8.8.4.4.

Since changing the router to DrayTek, it intercepts DNS queries often making them fail and setting a low TTL of 60 seconds which is creating ongoing DNS issues.

DNS Filter is off in the router admin, so why does it not butt out of interfering with queries I do not want it to.

Reported to support but have heard nothing for a week.

Hopefully a fix soon, or I will have to roll back to an ancient firmware before they invented this 'feature'.