What's new

Network flooded by dns.msftncsi.com requests

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

slytho

Regular Contributor
Hi!

Every 15 seconds the router sends a request to dns.msftncsi.com and is flooding the network.

I found a setting in the router GUI. Ticking "DNS query" makes it visible, it doesn't affect the frequency of the request tho:
p01.png


What is the purpose of these requests and how can I decrease the interval?

Would it have adverse effects if I changed "resolve hostname" to 0.0.0.0?

Best regards
 
They are used to determine if the WAN connection is up.

Do not block that address, or you will create a number of issues, including with all of your Windows systems. one UDP query every 15 secs won't have any impact performance-wise.

The frequency is not user-configurable.
 
Hi!

Every 15 seconds the router sends a request to dns.msftncsi.com and is flooding the network.

I found a setting in the router GUI. Ticking "DNS query" makes it visible, it doesn't affect the frequency of the request tho:
View attachment 20830

What is the purpose of these requests and how can I decrease the interval?

Would it have adverse effects if I changed "resolve hostname" to 0.0.0.0?

Best regards
The only thing you can do is change the address of what you want to resolve. All this function is doing is confirming that the address that is specified truly matches the set of IP's below, this tells the router that you are connected to the internet upon successful confirmation of the match.
 
Thank you very much to both of you.

one UDP query every 15 secs won't have any impact performance-wise. The frequency is not user-configurable.

Well, it isn't really because of performance issues, but these requests are cramming logs. I use pihole (for example) and with the new router everything I see in the logs is only that mstfncsi.com domain, other domain requests have to work hard to attract attention and not be overseen in the mass of mstfncsi. ;)

All this function is doing is confirming that the address that is specified truly matches the set of IP's below, this tells the router that you are connected to the internet upon successful confirmation of the match.

Fair enough. And what will the router (and/or Windows) do, once these requests don't succeed any more? I don't use Dual-WAN and if it only was a red X being displayed in the Network Map tab of the router's GUI ...
 
Last edited:
In that setup, with the router forwarding to PiHole in WAN DNS, you’re adding a dependency that your internal PiHole must also be working to verify your external Internet is “connected”.

People have forcibly disabled the DNS check by clearing out the “Resolved IP Addresses” field and then disabling the DNS checkbox in your screenshot.

Same as command line:
Code:
nvram set dns_probe=0
nvram set dns_probe_content=""
nvram commit

EDIT: it looks like Merlin fixed this in the 384.15 alphas, where disabling the checkbox should suffice.
https://github.com/RMerl/asuswrt-merlin.ng/commit/8943404b78901f32954d93c4e27a92c998b725c6
 
Last edited:
In that setup, with the router forwarding to PiHole in WAN DNS, you’re adding a dependency that your internal PiHole must also be working to verify your external Internet is “connected”.

People have forcibly disabled the DNS check by clearing out the “Resolved IP Addresses” field and then disabling the DNS checkbox in your screenshot.

Same as command line:
Code:
nvram set dns_probe=0
nvram set dns_probe_content=""
nvram commit

EDIT: it looks like Merlin fixed this in the 384.15 alphas, where disabling the checkbox should suffice.
https://github.com/RMerl/asuswrt-merlin.ng/commit/8943404b78901f32954d93c4e27a92c998b725c6
Perhaps this is obvious to everyone. You can use ping instead of a DNS lookup for WAN status. However, in this context, it needs to be an IP address to avoid a DNS lookup which would bring us back to square one :)

I use the IP address of the first hop ISP router, but I take on the responsibility to figure it out if the ISP changes this eventually. Perhaps Cloudflare's 1.1.1.1 is ubiquitous enough for folks to use.
 
Hhm, reading your lines makes me think that unticking that 'DNS query' box should quit sending these numerous domain requests? Is it that what you mean?

Well, in my case the box isn't ticked by default, I just switched it on to make the screenshot above. The only effect the box seems to have is displaying/hiding the according fields in the router's GUI; the domain requests continue no matter if the box is ticked or not. I don't know whether this is intended behaviour.

Do you suggest by ticking the IP box, network monitoring could be changed from DNS resolution to IP pings and thus avoiding the DNS log flooding?
 
Hhm, reading your lines makes me think that unticking that 'DNS query' box should quit sending these numerous domain requests? Is it that what you mean?
No, in firmwares below 384.15, you would also need to run the nvram commands as well.
Well, in my case the box isn't ticked by default, I just switched it on to make the screenshot above. The only effect the box seems to have is displaying/hiding the according fields in the router's GUI; the domain requests continue no matter if the box is ticked or not. I don't know whether this is intended behaviour.
Yes, we have noticed this behavior as well.
Do you suggest by ticking the IP box, network monitoring could be changed from DNS resolution to IP pings and thus avoiding the DNS log flooding?
Yes
 
In that setup, with the router forwarding to PiHole in WAN DNS, you’re adding a dependency that your internal PiHole must also be working to verify your external Internet is “connected”.

People have forcibly disabled the DNS check by clearing out the “Resolved IP Addresses” field and then disabling the DNS checkbox in your screenshot.

Same as command line:
Code:
nvram set dns_probe=0
nvram set dns_probe_content=""
nvram commit

EDIT: it looks like Merlin fixed this in the 384.15 alphas, where disabling the checkbox should suffice.
https://github.com/RMerl/asuswrt-merlin.ng/commit/8943404b78901f32954d93c4e27a92c998b725c6
This depends on how you are using pi hole. (If you are sending local router traffic through instead of clients only.) I had mine setup to assign pi hole to clients as dns server. Pihole never saw the local router traffic only the client specific traffic.
 
Thank you very much to both of you.



Well, it isn't really because of performance issues, but these requests are cramming logs. I use pihole (for example) and with the new router everything I see in the logs is only that mstfncsi.com domain, other domain requests have to work hard to attract attention and not be overseen in the mass of mstfncsi. ;)



Fair enough. And what will the router (and/or Windows) do, once these requests don't succeed any more? I don't use Dual-WAN and if it only was a red X being displayed in the Network Map tab of the router's GUI ...
You should change your setup to use Lan and and not wan dns for your pi hole setup. That way your dhcp server assigns the server ip of pi hole to your clients and only sees client traffic and not your router traffic. Your router traffic should only exist independently of your pi hole.
 
Mmh, maybe that's because I also use unbound on my raspberry pi for DoT purposes. Each DNS traffic of my network is routed through pihole and then unbound and then upstream to DoT servers. My pi hole's IP address is advertised to all clients as the DNS server.
 
Thank you very much to both of you.



Well, it isn't really because of performance issues, but these requests are cramming logs. I use pihole (for example) and with the new router everything I see in the logs is only that mstfncsi.com domain, other domain requests have to work hard to attract attention and not be overseen in the mass of mstfncsi. ;)



Fair enough. And what will the router (and/or Windows) do, once these requests don't succeed any more? I don't use Dual-WAN and if it only was a red X being displayed in the Network Map tab of the router's GUI ...
upload_2020-1-12_11-26-19.png

Pihole is listed as DNS Server for DHCP
upload_2020-1-12_11-28-13.png

The pihole is one of the devices listed as NO-filter
upload_2020-1-12_11-33-23.png


upload_2020-1-12_11-35-49.png

If you are using IPV6 you have to make additional adjustments using dnsmasq.postconf in /jffs/scripts/
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[IPV6address of pihole]" $CONFIG
Piholes DNS page
upload_2020-1-12_11-39-17.png

This allows you to use DNS service (isp or DoT) defined on the router.

Alternatively you can skip the Wan and or IPV6 section all together and just use one of the DNS services defined on piholes list or you can define your own.
 
Mmh, maybe that's because I also use unbound on my raspberry pi for DoT purposes. Each DNS traffic of my network is routed through pihole and then unbound and then upstream to DoT servers. My pi hole's IP address is advertised to all clients as the DNS server.
you have your wan dns defined as your pihole as well which is not necessary, if that is the case. this is causing your router to send its "local" traffic through your pihole possibly flooding it with excess queries that are non client related.

I recommend removing your pihole address from your wan DNS as it is not necessary step for clients to recieve pihole since you are serving pihole address to them on lan DNS DHCP.
 
Ohh, thank you very much. Yes, I know most screenshots. What is new to me are these DNS filter settings though, I'll have a look at it. :) Not yet sure what they do.

My DNS LAN settings are equal to yours.

you have your wan dns defined as your pihole as well
Yes, you're right. I once deliberately set 'connect to DNS server automatically' to 'no' because I feared to drill a hole in the DNS setup, i.e. that some DNS requests aren't captured but routed to my ISP's default upstream DNS servers by my router instead to my pi-hole. So, that's why I configured WAN DNS to point to my local network, too. (Besides, back then there was no DoT-option in Asuswrt yet, that's why I installed unbound on my raspberry pi and routed everythring through it, but that's another story.)

In the end my question is if changing WAN DNS to "connect automatically = yes" is a security or networking benefit/risk or a cosmetic improvement only? I want to prevent DNS requests to be sent to my ISP's regular servers. I don't mind changing my WAN DNS but simply want to understand why I am doing it. I guess since Asuswrt also supports DoT this can be changed now.
 
Last edited:
In the end my question is if changing WAN DNS to "connect automatically = yes" is a security or networking benefit/risk or a cosmetic improvement only? I want to prevent DNS requests to be sent to my ISP's regular servers. I don't mind changing my WAN DNS but simply want to understand why I am doing it. I guess since Asuswrt also supports DoT this can be changed now.
You don’t have to change it to yes. You can put in the same IPs of whatever DNS you currently use in Unbound, instead of the PiHole IP.

The idea is that the router needs to be able to directly access DNS servers during boot-up without relying on its own dnsmasq service or any LAN devices that may not be re-connected to the network yet. It can get really complicated if you really want 100% of queries encrypted, even these basic ones originating from the router.

You have options to fix the original issue mentioned in post 1. Now you must decide.
 
Thank you very much. The issue is solved then. :)
If you ever decide you want to try stubby locally on raspberry pi or dnscrypt proxy 2 there are tons of references online for those as well you have lots of options for dns solutions and all have their pros and cons.
Good luck to you.
 
What's the difference between DNSfilter = router with Pi-Hole No Filtering and disabling DNSfilter completely?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top