What's new

AC66U on .45 Maximum number of dns queries reached (150)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

MrLawliet

Occasional Visitor
AC66U on .45 Maximum number of dns queries reached (150) [SOLVED]

Hey Merlin,

I've swapped in a brand new AC66U with 376.45 firmware and it worked solid for about 20 hours and then I got this from dnsmasq:

Maximum number of concurrent DNS queries reached (max: 150)

We have less devices than ever at this office since we are on a ramp-down so I can't imagine us hitting limits and I didn't receive this error in any prior firmware.

Any advice for what it may be or how to diagnose further? Network configuration hasn't changed since I swapped this one in.

Edit: Marked as solved in case anyone else searches for this error. Read the thread to get your answer.
 
Last edited:
Forgot to mention, when it happens, router seems to stop all WAN access until rebooted.

DNS is done by a local server, DHCP by the router, and it is doing Forward local domain queries to upstream DNS since we have a local domain.
 
Last edited:
150 concurrent DNS queries seems a bit high. DNS queries should be quick and done with, and then cached to prevent future queries. This could be a DNS amplification attack coming from your network, so I'd be looking at your network traffic to find one if it exists. (your upstream bandwidth in the traffic monitor is a good indication)

Otherwise, enable the jffs partition and telnet/ssh and create this file; /jffs/configs/dnsmasq.conf.add
Add this line
-dns-forward-max=1000

And reboot the router.
 
Thanks for the IP traffic info

Any advice on how to go about locating the attacker?
 
Last edited:
Added the command as you suggested, seeing this:

Dec 31 19:00:15 dnsmasq[347]: bad option at line 29 of /etc/dnsmasq.conf
Dec 31 19:00:15 dnsmasq[347]: FAILED to start up
 
Okay figured out the dnsmasq error on line 28, apparently I wasn't supposed to do the first - in the command you gave.

Waiting to see if it still drops.
 
Thanks for the IP traffic info

Any advice on how to go about locating the attacker?

If your upstream traffic is pretty maxed out, you have a problem. Don't allow recursive DNS lookups from the internet, authoritative only. If you can "nslookup google.com 1.2.3.4" (where 1.2.3.4 is your public WAN IP) from a computer outside your network (on the internet), then your DNS server and/or firewall is configured incorrectly.
 
Thanks for trying to help me out with this!

I did check whether lookups from internet work, they don't, so at least I know its not that. I tried turning off the VPN to see if an external client was causing some problems but that didn't affect anything.

Raising the limit to 1000 seems to have helped, I also took down our SmoothSec IDS vm as it was freaking out, I'm wondering if its sensor was causing issues.

Wish the router would give more info.
 
Maybe "netstat -u -a" will tell you why 150 connections are open.

You could also install tcpdump via entware or optware, then run this;

tcpdump -n -i any port 53

It might give you an idea what's up. Good luck.
 
Maybe "netstat -u -a" will tell you why 150 connections are open.

You could also install tcpdump via entware or optware, then run this;

tcpdump -n -i any port 53

It might give you an idea what's up. Good luck.

Thanks, just want to say I'm really grateful, your suggestion to raise the limit at the very least stabilized the network so now I can look for the cause of the issue.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top