Daemon.warn dnsmasq[1]: possible DNS-rebind attack detected

Any ideas about how to investigate that?

	Line  84: Fri Aug 30 10:47:03 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line  97: Fri Aug 30 11:32:34 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 113: Fri Aug 30 14:46:44 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 114: Fri Aug 30 14:47:55 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 115: Fri Aug 30 14:47:55 2024 daemon.warn dnsmasq[2]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 137: Fri Aug 30 16:15:45 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 138: Fri Aug 30 16:16:56 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 139: Fri Aug 30 16:16:56 2024 daemon.warn dnsmasq[5]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 140: Fri Aug 30 16:16:59 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 141: Fri Aug 30 16:17:34 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 142: Fri Aug 30 16:17:43 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 143: Fri Aug 30 16:18:47 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 144: Fri Aug 30 16:19:26 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 145: Fri Aug 30 16:19:35 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 146: Fri Aug 30 16:20:18 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 147: Fri Aug 30 16:21:29 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 148: Fri Aug 30 16:21:29 2024 daemon.warn dnsmasq[6]: possible DNS-rebind attack detected: dns.msftncsi.com
	Line 204: Fri Aug 30 17:47:43 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: www.google-analytics.com
	Line 221: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: b.cdnst.net
	Line 222: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: cdn.ziffstatic.com
	Line 223: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: www.googletagmanager.com
	Line 224: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: cdn.static.zdbb.net
	Line 225: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: www.google-analytics.com
	Line 226: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: securepubads.g.doubleclick.net
	Line 227: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: cdn.ampproject.org
	Line 228: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: pagead2.googlesyndication.com
	Line 229: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: tpc.googlesyndication.com
	Line 230: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: static.criteo.net
	Line 231: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: zdbb.net
	Line 232: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: fonts.gstatic.com
	Line 233: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: www.google-analytics.com
	Line 235: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: btloader.com
	Line 236: Fri Aug 30 17:47:58 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: diffuser-cdn.app-us1.com
	Line 241: Fri Aug 30 17:48:02 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: cdn.ziffstatic.com
	Line 242: Fri Aug 30 17:48:02 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: b.cdnst.net
	Line 243: Fri Aug 30 17:48:02 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: www.googletagmanager.com

It's a Windows client-side issue.

https://www.snbforums.com/threads/network-flooded-by-dns-msftncsi-com-requests.61155/

You can suppress it at the source. Try

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
    EnableActiveProbing 1 -> 0

Not sure about the non-msft ones...

1 Like

Are you using an upstream adblocking DNS service? If it returns 0.0.0.0, it will be considered a rebind attack.

4 Likes

I think this comes up if there's a Windows thin client connecting to remote/work stations. I'm not aware of any attack abusing it, so you can do:

uci add_list dhcp.@dnsmasq[0].rebind_domain='dns.msftncsi.com'
uci commit dhcp
service dnsmasq restart

Everything else I have no idea about and without any further research it looks very sus. Like @dave14305 said, it warrants a check if your ISP hijacks your DNS requests and if they do, use encrypted DNS requests, there are multiple solutions I'd recommend https-dns-proxy as it requires no configuration after install.

3 Likes

The only problem with dns.msftncsi.com is that it returns a ULA for an AAAA query (fd3e:4f5a:5b81::1). An A query is fine.

I still suspect an upstream blocking service returning 0.0.0.0 instead of NXDOMAIN for the others.

3 Likes

Thank you for your answers.
Perhaps I will share more information about my config - please see the picture attached:

The config on the OpenWrt router where this log comes from is:

root@Router:~# cat /tmp/resolv.conf.d/resolv.conf.auto
# Interface wanLeft
nameserver 192.168.3.1
# Interface wanRight
nameserver 192.168.2.1

And some more info:

In general, everything else works correctly: correct internet communication from the clients to the internet, not a bad throughput (speedtest.net results over 300/100 Mbit/s), processor and memory loads on the router are minimal etc.

There is no adblocking DNS services used.

The wanLeft side is towards one ISP, over the Huawei router with embedded LTE modem, having Huawei proprietary software and default config.
The wanRight side is towards other ISP, over the ZTE router with embedded 5G modem, having ZTE proprietary software and default config.

I'm just curious if perhaps:

  • nothing is wrong - just some false positive, or
  • there is an issue with config of this OpenWRT router, or
  • there is an issue with one/some of the clients on the LAN side, or
  • one of the ISPs is playing some games here, or
  • one of the manufacturers of the "wan" routers is playing some games here
    ?

I'd be curious to see the outcome of these commands on the OpenWrt router:

nslookup www.googletagmanager.com. 192.168.3.1
nslookup www.googletagmanager.com. 192.168.2.1
nslookup www.googletagmanager.com. 127.0.0.1
1 Like
root@Router:~# nslookup www.googletagmanager.com 192.168.3.1
Server:         192.168.3.1
Address:        192.168.3.1:53

Non-authoritative answer:
Name:   www.googletagmanager.com
Address: 142.250.186.200

Non-authoritative answer:
Name:   www.googletagmanager.com
Address: 2a00:1450:401b:800::2008

root@Router:~# nslookup www.googletagmanager.com 192.168.2.1
Server:         192.168.2.1
Address:        192.168.2.1:53

Non-authoritative answer:
Name:   www.googletagmanager.com
Address: 2a00:1450:401b:805::2008

Non-authoritative answer:
Name:   www.googletagmanager.com
Address: 216.58.215.72

root@Router:~# nslookup www.googletagmanager.com 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
Name:   www.googletagmanager.com
Address: 142.250.186.200

Non-authoritative answer:
Name:   www.googletagmanager.com
Address: 2a00:1450:401b:800::2008

OK that's definitely weird considering the earlier rebind message for the same domain. I would be suspicious of the upstream DNS then, as stated by others.

2 Likes

Some next observations:
Multiple retries of those commands show the www.googletagmanager.com is resolved to mutliple addresses

  • those do change frequently, but it looks the ipinfo.io states all of those belongs to the same:
    ASN: AS15169 - Google LLC,
    Company: Google LLC
    (= it sounds like the DNS Load Balancing on the www.googletagmanager.com ...?)

Below is a shortened version for better visibility:

root@Router:~# nslookup www.googletagmanager.com 192.168.3.1
Address: 142.250.186.200
Address: 216.58.208.200
Address: 216.58.209.8
Address: 142.250.203.200

root@Router:~# nslookup www.googletagmanager.com 192.168.2.1
Address: 216.58.215.72
Address: 172.217.16.40

root@Router:~# nslookup www.googletagmanager.com 127.0.0.1
Address: 142.250.186.200
Address: 216.58.208.200
Address: 216.58.209.8
Address: 142.250.203.200
Address: 172.217.16.40

When was the last rebind message?

logread -e "possible DNS-rebind attack detected"
1 Like

No entries at the moment, because I restarted the router recently.
But there was one entry today (I copied it before the restart):

Sat Aug 31 16:57:06 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com

I'm just thinking about cutting off one of the WANs for 24h, then turning it on and cutting off the other one for the next 24h, to see if it makes any difference.

Regarding issue with dns.msftncsi.com, it looks you all were right: looks like the AAAA dns query/response issue.
The dns.msftncsi.com is queried by Windows 11 laptops. Please see the logs:

Sun Sep  1 12:03:01 2024 daemon.info dnsmasq[1]: 27180 192.168.1.2/51972 query[A] dns.msftncsi.com from 192.168.1.2
Sun Sep  1 12:03:01 2024 daemon.info dnsmasq[1]: 27180 192.168.1.2/51972 forwarded dns.msftncsi.com to 8.8.8.8
Sun Sep  1 12:03:01 2024 daemon.info dnsmasq[1]: 27180 192.168.1.2/51972 reply dns.msftncsi.com is 131.107.255.255
Sun Sep  1 12:03:01 2024 daemon.info dnsmasq[1]: 27181 192.168.1.3/51805 query[A] dns.msftncsi.com from 192.168.1.3
Sun Sep  1 12:03:01 2024 daemon.info dnsmasq[1]: 27181 192.168.1.3/51805 cached dns.msftncsi.com is 131.107.255.255

Sun Sep  1 12:03:37 2024 daemon.info dnsmasq[1]: 27268 192.168.1.2/59136 query[AAAA] dns.msftncsi.com from 192.168.1.2
Sun Sep  1 12:03:37 2024 daemon.info dnsmasq[1]: 27268 192.168.1.2/59136 forwarded dns.msftncsi.com to 8.8.8.8
Sun Sep  1 12:03:37 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
1 Like

I have some more data now.

So yesterday evening I turned off the wanRight connection (physically unplugged the cable),
so the entire internet connectivity goes through the wanLeft only,
and this is what I saw today:

from
Sun Sep 1 05:13:11
to
Sun Sep 1 05:13:27 - there were multiple pings lost

then

Sun Sep  1 05:13:27 2024 user.notice mwan3track[1935]: Interface wanLeft (lan1) is offline
Sun Sep  1 05:13:27 2024 user.notice mwan3-hotplug[5698]: Execute disconnected event on interface wanLeft (lan1)

Sun Sep  1 05:34:19 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 05:43:03 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 05:50:44 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 06:10:29 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 06:18:23 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 06:28:47 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 06:33:47 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 06:37:17 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 06:45:59 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 06:56:11 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 07:04:52 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 07:14:56 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 07:23:15 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 07:31:15 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 07:41:07 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 07:51:46 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 07:58:47 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 08:08:48 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 08:26:09 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 08:35:16 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 08:44:26 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 08:53:41 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 09:03:55 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 09:11:17 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 09:20:50 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 09:38:27 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)
Sun Sep  1 09:48:57 2024 daemon.warn dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)

then

Sun Sep 1 10:07:30 - I turned on the Windows 11 laptop

MultiWAN Manager reported both wan interfaces are down, there was no internet connectivity available.

I didn't touch the non-OpenWRT wan router,
but I restarted the wanLeft interface on the OpenWRT router,
and internet connectivity came back.

Some dns.msftncsi.com just appeared, but we already know where those come from:

Sun Sep  1 10:23:15 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Sun Sep  1 10:23:50 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Sun Sep  1 10:25:01 2024 daemon.warn dnsmasq[1]: possible DNS-rebind attack detected: dns.msftncsi.com
Sun Sep  1 10:25:01 2024 daemon.warn dnsmasq[3]: possible DNS-rebind attack detected: dns.msftncsi.com

As those messages "Maximum number of concurrent DNS queries reached" - worried me a little, I turned on logging of the DNS queries:

uci set dhcp.@dnsmasq[0].logqueries='1'
uci commit dhcp
/etc/init.d/dnsmasq restart

And I checked the logs to see what are the DNS queries:

  1. With both WANs turned off: the total amount of DNS queries is quite constant and around 8 queries per second.
    But it looks there is nothing suspicious there, only the probing of the genuine sites of the manufacturers of the devices which are in the network.

  2. Just after turning on the wanLeft, with no one actively browsing the internet but one laptop turned on,
    the amount of DNS queries per second, in the consecutive seconds are:
    13, 12, 6, 2, 8, 1, 2, 18, 9, 6, 0, 0, 0, 7, 0, 0, 0, 5, 13, 0, 0, 1, 0, 18, 20, 4, 8, 0, 0, 0, 0, 11, 9, 0, 0, 0, 0, 0, 0, 0, 0
    and after some time: much less than 1 query per second on average

So it doesn't look like too many of those DNS queries…


Just some additional information:

There is also no "unknown" nor anyhow "suspicous" devices connected to the lan network.

My firewall settings - both "general" and "wan" are:
input-reject, output-accept, forward-reject,

There is no Port Forwards.

There are a few Traffic Rules related to wan, which I guess came from the default config of the OpenWRT, but none of them related to port 53.
Those are like:
"incoming IPv4, protocol IGMP, from wan, to this device - accept input",
"incoming IPv4, protocol UDP from wan, to this device, port 68 - accept input".


If the upstream DNS servers are slow or non-responsive, it wouldn’t take long for dnsmasq to “accumulate” 150 unanswered queries that it’s trying to manage. Fixing the upstream servers is usually the answer in these situations.

1 Like

I carefully analyzed the logs. I found also some other abnormalities:

  • sometimes the router is forwarding the DNS query to a single DNS server 8.8.8.8, but sometimes the router sends that to all the DNS servers configured (8.8.8.8, 8.8.4.4, 208.67.222.222, 208.67.220.220) multiple times in a row
  • sometimes the responses are NODATA or NODATA-IPv6 or CNAME (the last one in: <>)

Visible here:

Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27288 192.168.1.2/50683 query[A] github.com from 192.168.1.2
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27288 192.168.1.2/50683 forwarded github.com to 8.8.8.8
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27289 192.168.1.2/61821 query[HTTPS] github.com from 192.168.1.2
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27289 192.168.1.2/61821 forwarded github.com to 8.8.8.8
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 query[HTTPS] openwrt.org from 192.168.1.2
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 forwarded openwrt.org to 8.8.8.8
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 forwarded openwrt.org to 8.8.4.4
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 forwarded openwrt.org to 208.67.222.222
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 forwarded openwrt.org to 208.67.220.220
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 forwarded openwrt.org to 8.8.8.8
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 forwarded openwrt.org to 8.8.4.4
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 forwarded openwrt.org to 208.67.222.222
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 forwarded openwrt.org to 208.67.220.220
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 query[A] github.com from 192.168.1.2
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 forwarded github.com to 8.8.8.8
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 forwarded github.com to 8.8.4.4
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 forwarded github.com to 208.67.222.222
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 forwarded github.com to 208.67.220.220
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 forwarded github.com to 8.8.8.8
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 forwarded github.com to 8.8.4.4
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 forwarded github.com to 208.67.222.222
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 forwarded github.com to 208.67.220.220
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 query[HTTPS] github.com from 192.168.1.2
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 forwarded github.com to 8.8.8.8
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 forwarded github.com to 8.8.4.4
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 forwarded github.com to 208.67.222.222
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 forwarded github.com to 208.67.220.220
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 forwarded github.com to 8.8.8.8
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 forwarded github.com to 8.8.4.4
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 forwarded github.com to 208.67.222.222
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 forwarded github.com to 208.67.220.220
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27290 192.168.1.2/59090 reply openwrt.org is NODATA
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27292 192.168.1.2/61821 reply github.com is NODATA
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27291 192.168.1.2/50683 reply github.com is 140.82.121.3
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27293 192.168.1.2/63793 query[A] github.com from 192.168.1.2
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27293 192.168.1.2/63793 cached github.com is 140.82.121.3
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27294 192.168.1.2/63793 query[AAAA] github.com from 192.168.1.2
Sun Sep  1 12:03:56 2024 daemon.info dnsmasq[1]: 27294 192.168.1.2/63793 cached github.com is NODATA-IPv6
  • it looks like sometimes there is more replies than the queries being sent
  • sometimes there is "reply query is duplicate" in the logs

Visible here:

Sun Sep  1 12:02:56 2024 daemon.info dnsmasq[1]: 27175 127.0.0.1/40498 query[A] 1.openwrt.pool.ntp.org from 127.0.0.1
Sun Sep  1 12:02:56 2024 daemon.info dnsmasq[1]: 27175 127.0.0.1/40498 forwarded 1.openwrt.pool.ntp.org to 8.8.8.8
Sun Sep  1 12:02:56 2024 daemon.info dnsmasq[1]: 27176 ::1/40498 query[A] 1.openwrt.pool.ntp.org from ::1
Sun Sep  1 12:02:56 2024 daemon.info dnsmasq[1]: 27177 127.0.0.1/40498 query[AAAA] 1.openwrt.pool.ntp.org from 127.0.0.1
Sun Sep  1 12:02:56 2024 daemon.info dnsmasq[1]: 27177 127.0.0.1/40498 forwarded 1.openwrt.pool.ntp.org to 8.8.8.8
Sun Sep  1 12:02:56 2024 daemon.info dnsmasq[1]: 27178 ::1/40498 query[AAAA] 1.openwrt.pool.ntp.org from ::1
Sun Sep  1 12:02:57 2024 daemon.info dnsmasq[1]: 27175 127.0.0.1/40498 reply 1.openwrt.pool.ntp.org is 89.250.197.242
Sun Sep  1 12:02:57 2024 daemon.info dnsmasq[1]: 27175 127.0.0.1/40498 reply 1.openwrt.pool.ntp.org is 195.46.37.22
Sun Sep  1 12:02:57 2024 daemon.info dnsmasq[1]: 27175 127.0.0.1/40498 reply 1.openwrt.pool.ntp.org is 85.115.212.254
Sun Sep  1 12:02:57 2024 daemon.info dnsmasq[1]: 27175 127.0.0.1/40498 reply 1.openwrt.pool.ntp.org is 213.135.57.60
Sun Sep  1 12:02:57 2024 daemon.info dnsmasq[1]: 27176 ::1/40498 reply query is duplicate
Sun Sep  1 12:02:57 2024 daemon.info dnsmasq[1]: 27177 127.0.0.1/40498 reply 1.openwrt.pool.ntp.org is NODATA-IPv6
Sun Sep  1 12:02:57 2024 daemon.info dnsmasq[1]: 27178 ::1/40498 reply query is duplicate

I am wondering if perhaps especially this:
"sometimes the router sends that to all the DNS servers configured multiple times in a row"
may be a result of just a poor stability of the network connection of the ISP on the wanLeft side... ?

dnsmasq will query all configured servers every 50 queries or every 20 seconds to test speed and availability.
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/config.h;hb=ed96efd865132dd9aa256c7873c6cdd5e985ee23#l27
What servers are listed in the resolv.conf.auto now?

2 Likes

At the moment "wanRight" is disconneced (cable unplugged) and "wanLeft" is connected.
All the resolv.conf files are:

root@Router:~# cat /tmp/resolv.conf.d/resolv.conf.auto
# Interface wanLeft
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wanRight
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 208.67.222.222
nameserver 208.67.220.220
root@Router:~#

root@Router:~# cat /tmp/resolv.conf
search lan
nameserver 127.0.0.1
nameserver ::1

root@Router:~# cat /etc/resolv.conf
search lan
nameserver 127.0.0.1
nameserver ::1

root@Router:~# cat /rom/etc/resolv.conf
search lan
nameserver 127.0.0.1
nameserver ::1

Since both WANs are providing the same DNS servers to dnsmasq, that is why the “double forwarding” appears.