1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Constant unwanted traffic to dns.msftncsi.com from RT-AC66U

Discussion in 'ASUSWRT - Official' started by aleph-1, Oct 24, 2016.

  1. aleph-1

    aleph-1 New Around Here

    Joined:
    Oct 24, 2016
    Messages:
    3
    Hi there,

    I have spotted a lot of traffic to dns.msftncsi.com non stop, day and night.BUT, I have no windows s/w in my network

    To really narrow it down, I have switched off all 25 devices on my network, to end up with the router (RT-AC66U), pi hole & a ubuntu laptop. Still 4 queries per minute !!

    On another forum (pi-hole) , I gained the following insight:
    ----------Snip ----------
    It's your Router

    Found this here

    New WAN state detection code from Asus. Make sure you aren't blocking dns.msftncsi.com.

    Github file where you can find it.
    -------Snip---------

    I'm running stock firmware on the router: 3.0.0.4.380_4005.

    Is there anything i can do to stop this? I can't find a setting in the config pages of the router to switch off Wan state detection, but I don't need it, and it's flooding my monitoring logs.

    Thanks for any help
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. aleph-1

    aleph-1 New Around Here

    Joined:
    Oct 24, 2016
    Messages:
    3
    Hi all
    After a little bit of messing around I’ve learnt more about how the router works and how to fix this. Its more of a workaround than a fix but works for me.

    Ive added this back in the forum for anyone else who is interested, or if anyone to point out a better solution.Here are the steps:

    -1-enable telnet.

    -2-telnet into your router (login & pw is the the same as your web interface)

    -3- were going to change the nvram settings but its worth having a look at the default first so do a: nvram show | sort | more

    -4- look for: the dns_probe_content and dns_probe_host entries. These have the addresses that were giving me the problem

    -5- Set dns_probe_content using: nvram set dns_probe_content=127.0.0.1

    -6- set dns_probe_host using: nvram set dns_probe_host="" (note "" = null, ie blank, ie not even a space)

    -7- Save these entries: nvram commit

    -8- reboot the router: reboot

    -9- telnet back in when the router is up and check the entires have held by doing another nvram show.

    I've looked at the git hub code and can't quite work out if the null dns_probe_host is handled properly. However, is now been 24 hours and all is ok with the router, no loss in performance,or connectivity. Crucially I don't have thousands of unwanted dns queries to microsoft to check if I have internet connectivity!

    hope this helps
     
  4. dsring

    dsring Regular Contributor

    Joined:
    Aug 19, 2012
    Messages:
    184
    Thanks for posting. I am running stock firmware version 3.0.0.4.380.3941 on a RT-AC88U. I have made the changes per your suggestion and it has eliminated all of the annoying "WAN Connection: DNS probe failed" entries in the system log. One minor change from your suggestion is that I set dns_probe_content=0.0.0.0 instead of 127.0.0.1. It has been about 24 hours since making the nvram changes and all is well.
     
    joegreat likes this.
  5. peraburek

    peraburek Regular Contributor

    Joined:
    Mar 13, 2015
    Messages:
    183
    raising old topic, due to bug that is still there

    I am trying to figure out what is actually going on with Asus WAN probing (wan-duck ?)

    so I did the following

    Code:
    nvram show | grep dns_probe
    dns_probe_host=dns.msftncsi.com
    dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1
    I know wan-duck is doing DNS probing (port UDP 53), since you cannot ping (ICMP) dns.msftncsi.com - I wanted to change this dns.msftncsi.com destination to something that is pingable (for example cloudflare.com; 198.41.214.162 2400:cb00:2048:1::c629:d6a2)

    before that I have decided to test if this actually does anything, so on purpose I have enter data that is wrong and not reachable (either DNS probe or ICMP)

    Code:
    nvram set dns_probe_host=non-existent.domain.tld
    nvram set dns_probe_content=192.168.280.505
    nvram commit
    reboot
    on Tools - Other Settings -> Wan: Use DNS probes to determine if WAN is up (default: Yes) (Yes is checked)

    Internet status: Connected
    in System Log - there are no errors related to wan-duck or probing, or whatsoever

    right now I am clueless, tested on Asus RT-AC68U running Merlin Firmware Version 380.69
    primary WAN is WAN connected to cable modem (WAN Connection Type - Automatic IP) DHCP
     
  6. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    4,176
    Location:
    Switzerland
    Probing every two seconds with a failure and then not act upon? Sounds like you found a bug.
    But seriously, there are more ways for the router to check if WAN is up, this probing is just one of them. If you set it to a fake domains it may ignore its down reporting as other services report the WAN connection to be up.
     
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,249
    Location:
    Canada
    If you clear the variable, it will disable the watchdog. That's what the setting in my firmware does.
     
    thelonelycoder likes this.
  8. thelonelycoder

    thelonelycoder Part of the Furniture

    Joined:
    Jan 23, 2014
    Messages:
    4,176
    Location:
    Switzerland
    I was wondering today what good soul put that in! Thanks!
     
  9. peraburek

    peraburek Regular Contributor

    Joined:
    Mar 13, 2015
    Messages:
    183
    @RMelin - which variable are you reffering to, dns_probe_host or dns_probe_content or both ??

    still I think this could/should be qualified as a bug

    it should report somewhere dns_probe_host (non-existent.domain.tld) is not reachable
    or
    dns_probe_content (192.168.280.505) IP is not correct

    if I enter only (correct) dns_probe_host (cloudflare.com) will it pick up IP alone for dns_probe_content ?
    or does it work other way round if you add only dns_probe_content - does it populate dns_probe_host alone ?

    trying to figure out how this works, in order to isolate root-cause of dual-wan failover problem
     
  10. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,249
    Location:
    Canada
    dns_probe_content. Just clear its content to disable the feature.

    Note that this will break Dual WAN mode however.
     
  11. peraburek

    peraburek Regular Contributor

    Joined:
    Mar 13, 2015
    Messages:
    183
    I will test this

    does router test dns_probe_host and expect IP listed in dns_probe_content?
    if I add
    dns_probe_host=cloudflare.com

    but leave Microsoft IPs in
    dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1

    it doesn't make much sense, still dns probe test will "pass"?

    is there command to test ASUS wanduck dns probe?
     
  12. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,249
    Location:
    Canada
    I don't know, I never dug any further on this because personally I simply don't care (Windows desktops already poll that same DNS anyway). I only know that the watchdog won't do anything if dns_probe_content is empty.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!