Reply
New Member
Posts: 6
Registered: ‎11-12-2018

USG generating continuous DNS resolver activity

Hi All,

 

I've got a USG generating constant (2/sec) A / AAAA requetsts.  I assumed it might be the DPI as it's related to the traffic the clients behind the USG are generating so disabled it, but found it persistsed.  Has anyone seen this behavior before?  Advice apreciated.

 

Thanks!

Regular Member
Posts: 498
Registered: ‎01-28-2016
Kudos: 99
Solutions: 17

Re: USG generating continuous DNS resolver activity

Can you log into the console of the USG via SSH and do a tcpdump? See here for more details on how to do that:

 

https://help.ubnt.com/hc/en-us/articles/204962304-EdgeMAX-Capture-packets-on-the-router

 

A command like this should get you started:

 

sudo tcpdump -i eth0 -n port 53

 

You'll probably want to run the command on all of your interfaces to pinpoint where the requests are coming from. Just change the eth0 to whatever interface you want to check. You can see a list of interfaces with the following command:

 

show interfaces

 

Post back what you find!

 

--

Klint

Primary Innovator at Sprocket Technology
UEWA | Contributor to Easy UBNTUFW Lockdown, Companion API | Host on Vultr
New Member
Posts: 6
Registered: ‎11-12-2018

Re: USG generating continuous DNS resolver activity

Thank you, Klint My apologies for not being more precise in my question. My network uses a local resolver and another device manages DHCP. For the hosts on the network, the USG is only a gateway to the Internet. Using tcpdump, both on the USG and local resolver I've verified that the requests are coming form the USG and are all/most of the DNSRR being requested by clients on the network. This is what lead me to suspect the DPI capability was causing the USG to resolved every domain it saw in the traffic passing by. That doesn't seem to be the case, however. I'm hoping others may know what might cause the USG to behave this way of not DPI.
Regular Member
Posts: 498
Registered: ‎01-28-2016
Kudos: 99
Solutions: 17

Re: USG generating continuous DNS resolver activity

So, when using tcpdump on the USG, you don't see any inbound DNS requests? Only outbound requests to your local resolver?

 

--

Klint

Primary Innovator at Sprocket Technology
UEWA | Contributor to Easy UBNTUFW Lockdown, Companion API | Host on Vultr
New Member
Posts: 6
Registered: ‎11-12-2018

Re: USG generating continuous DNS resolver activity

[ Edited ]

Exactly.  I see the USG (.254) asking the local resolver(.1) for A and AAAA DNSRR for domains that it sees clients visiting.  

 

23:11:45.945313 IP 192.168.1.254.22886 > 192.168.1.1.53: 26002+ AAAA? foo.com. (36)
23:11:45.945963 IP 192.168.1.254.28327 > 192.168.1.1.53: 20163+ A? foo.com. (36)
23:11:45.946553 IP 192.168.1.1.53 > 192.168.1.254.22886: 26002* 1/0/0 AAAA :: (64)
23:11:45.946981 IP 192.168.1.1.53 > 192.168.1.254.28327: 20163* 1/0/0 A 1.2.3.4 (52)

 

etc.

 

A client on my network resolved and visited that domain, not the USG.  The USG is resolving the domains though.  This USG is the first ubnt gear i've owned, so I'm stumped as to what would make the USG behave this way.  DPI was the only obvious capability that I would think might be the case. 

 

The local resolver is answering two requests for every DNS resolution on my network.  The client, and also the USG.

 

Thanks again for your time!

Highlighted
Regular Member
Posts: 498
Registered: ‎01-28-2016
Kudos: 99
Solutions: 17

Re: USG generating continuous DNS resolver activity

Can you attach (not copy and paste) your USG config? Scrub out sensative info. The command is:

 

show configuration

 

--

Klint

Primary Innovator at Sprocket Technology
UEWA | Contributor to Easy UBNTUFW Lockdown, Companion API | Host on Vultr
Reply