11-12-2018 07:56 PM
I've got a USG generating constant (2/sec) A / AAAA requetsts. I assumed it might be the DPI as it's related to the traffic the clients behind the USG are generating so disabled it, but found it persistsed. Has anyone seen this behavior before? Advice apreciated.
11-12-2018 08:08 PM
Can you log into the console of the USG via SSH and do a tcpdump? See here for more details on how to do that:
A command like this should get you started:
sudo tcpdump -i eth0 -n port 53
You'll probably want to run the command on all of your interfaces to pinpoint where the requests are coming from. Just change the eth0 to whatever interface you want to check. You can see a list of interfaces with the following command:
Post back what you find!
11-12-2018 08:17 PM
11-12-2018 08:36 PM
11-12-2018 08:46 PM - edited 11-12-2018 08:48 PM
Exactly. I see the USG (.254) asking the local resolver(.1) for A and AAAA DNSRR for domains that it sees clients visiting.
23:11:45.945313 IP 192.168.1.254.22886 > 192.168.1.1.53: 26002+ AAAA? foo.com. (36)
23:11:45.945963 IP 192.168.1.254.28327 > 192.168.1.1.53: 20163+ A? foo.com. (36)
23:11:45.946553 IP 192.168.1.1.53 > 192.168.1.254.22886: 26002* 1/0/0 AAAA :: (64)
23:11:45.946981 IP 192.168.1.1.53 > 192.168.1.254.28327: 20163* 1/0/0 A 184.108.40.206 (52)
A client on my network resolved and visited that domain, not the USG. The USG is resolving the domains though. This USG is the first ubnt gear i've owned, so I'm stumped as to what would make the USG behave this way. DPI was the only obvious capability that I would think might be the case.
The local resolver is answering two requests for every DNS resolution on my network. The client, and also the USG.
Thanks again for your time!
11-12-2018 09:21 PM