AC66U on .45 Maximum number of dns queries reached (150)

[MrLawliet]

AC66U on .45 Maximum number of dns queries reached (150) [SOLVED]

Hey Merlin,

I've swapped in a brand new AC66U with 376.45 firmware and it worked solid for about 20 hours and then I got this from dnsmasq:

Maximum number of concurrent DNS queries reached (max: 150)

We have less devices than ever at this office since we are on a ramp-down so I can't imagine us hitting limits and I didn't receive this error in any prior firmware.

Any advice for what it may be or how to diagnose further? Network configuration hasn't changed since I swapped this one in.

Edit: Marked as solved in case anyone else searches for this error. Read the thread to get your answer.

 

[MrLawliet]

Forgot to mention, when it happens, router seems to stop all WAN access until rebooted.

DNS is done by a local server, DHCP by the router, and it is doing Forward local domain queries to upstream DNS since we have a local domain.

 

[Grump]

150 concurrent DNS queries seems a bit high. DNS queries should be quick and done with, and then cached to prevent future queries. This could be a DNS amplification attack coming from your network, so I'd be looking at your network traffic to find one if it exists. (your upstream bandwidth in the traffic monitor is a good indication)

Otherwise, enable the jffs partition and telnet/ssh and create this file; /jffs/configs/dnsmasq.conf.add
Add this line
-dns-forward-max=1000

And reboot the router.

 

[MrLawliet]

Thanks for the IP traffic info

Any advice on how to go about locating the attacker?

 

[MrLawliet]

Added the command as you suggested, seeing this:

Dec 31 19:00:15 dnsmasq[347]: bad option at line 29 of /etc/dnsmasq.conf
Dec 31 19:00:15 dnsmasq[347]: FAILED to start up

 

[MrLawliet]

Okay figured out the dnsmasq error on line 28, apparently I wasn't supposed to do the first - in the command you gave.

Waiting to see if it still drops.

 

[Grump]

Thanks for the IP traffic info

Any advice on how to go about locating the attacker?

If your upstream traffic is pretty maxed out, you have a problem. Don't allow recursive DNS lookups from the internet, authoritative only. If you can "nslookup google.com 1.2.3.4" (where 1.2.3.4 is your public WAN IP) from a computer outside your network (on the internet), then your DNS server and/or firewall is configured incorrectly.

 

[MrLawliet]

Thanks for trying to help me out with this!

I did check whether lookups from internet work, they don't, so at least I know its not that. I tried turning off the VPN to see if an external client was causing some problems but that didn't affect anything.

Raising the limit to 1000 seems to have helped, I also took down our SmoothSec IDS vm as it was freaking out, I'm wondering if its sensor was causing issues.

Wish the router would give more info.

 

[Grump]

Maybe "netstat -u -a" will tell you why 150 connections are open.

You could also install tcpdump via entware or optware, then run this;

tcpdump -n -i any port 53

It might give you an idea what's up. Good luck.

 

[MrLawliet]

Maybe "netstat -u -a" will tell you why 150 connections are open.

You could also install tcpdump via entware or optware, then run this;

tcpdump -n -i any port 53

It might give you an idea what's up. Good luck.

Thanks, just want to say I'm really grateful, your suggestion to raise the limit at the very least stabilized the network so now I can look for the cause of the issue.