Constant unwanted traffic to dns.msftncsi.com from RT-AC66U

aleph-1

New Around Here
Hi there,

I have spotted a lot of traffic to dns.msftncsi.com non stop, day and night.BUT, I have no windows s/w in my network

To really narrow it down, I have switched off all 25 devices on my network, to end up with the router (RT-AC66U), pi hole & a ubuntu laptop. Still 4 queries per minute !!

On another forum (pi-hole) , I gained the following insight:
----------Snip ----------
It's your Router

Found this here

New WAN state detection code from Asus. Make sure you aren't blocking dns.msftncsi.com.

Github file where you can find it.
-------Snip---------

I'm running stock firmware on the router: 3.0.0.4.380_4005.

Is there anything i can do to stop this? I can't find a setting in the config pages of the router to switch off Wan state detection, but I don't need it, and it's flooding my monitoring logs.

Thanks for any help
 

aleph-1

New Around Here
Hi all
After a little bit of messing around I’ve learnt more about how the router works and how to fix this. Its more of a workaround than a fix but works for me.

Ive added this back in the forum for anyone else who is interested, or if anyone to point out a better solution.Here are the steps:

-1-enable telnet.

-2-telnet into your router (login & pw is the the same as your web interface)

-3- were going to change the nvram settings but its worth having a look at the default first so do a: nvram show | sort | more

-4- look for: the dns_probe_content and dns_probe_host entries. These have the addresses that were giving me the problem

-5- Set dns_probe_content using: nvram set dns_probe_content=127.0.0.1

-6- set dns_probe_host using: nvram set dns_probe_host="" (note "" = null, ie blank, ie not even a space)

-7- Save these entries: nvram commit

-8- reboot the router: reboot

-9- telnet back in when the router is up and check the entires have held by doing another nvram show.

I've looked at the git hub code and can't quite work out if the null dns_probe_host is handled properly. However, is now been 24 hours and all is ok with the router, no loss in performance,or connectivity. Crucially I don't have thousands of unwanted dns queries to microsoft to check if I have internet connectivity!

hope this helps
 

dsring

Regular Contributor
Thanks for posting. I am running stock firmware version 3.0.0.4.380.3941 on a RT-AC88U. I have made the changes per your suggestion and it has eliminated all of the annoying "WAN Connection: DNS probe failed" entries in the system log. One minor change from your suggestion is that I set dns_probe_content=0.0.0.0 instead of 127.0.0.1. It has been about 24 hours since making the nvram changes and all is well.
 

peraburek

Senior Member
raising old topic, due to bug that is still there

I am trying to figure out what is actually going on with Asus WAN probing (wan-duck ?)

so I did the following

Code:
nvram show | grep dns_probe
dns_probe_host=dns.msftncsi.com
dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1
I know wan-duck is doing DNS probing (port UDP 53), since you cannot ping (ICMP) dns.msftncsi.com - I wanted to change this dns.msftncsi.com destination to something that is pingable (for example cloudflare.com; 198.41.214.162 2400:cb00:2048:1::c629:d6a2)

before that I have decided to test if this actually does anything, so on purpose I have enter data that is wrong and not reachable (either DNS probe or ICMP)

Code:
nvram set dns_probe_host=non-existent.domain.tld
nvram set dns_probe_content=192.168.280.505
nvram commit
reboot
on Tools - Other Settings -> Wan: Use DNS probes to determine if WAN is up (default: Yes) (Yes is checked)

Internet status: Connected
in System Log - there are no errors related to wan-duck or probing, or whatsoever

right now I am clueless, tested on Asus RT-AC68U running Merlin Firmware Version 380.69
primary WAN is WAN connected to cable modem (WAN Connection Type - Automatic IP) DHCP
 

thelonelycoder

Part of the Furniture
raising old topic, due to bug that is still there

I am trying to figure out what is actually going on with Asus WAN probing (wan-duck ?)

so I did the following

Code:
nvram show | grep dns_probe
dns_probe_host=dns.msftncsi.com
dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1
I know wan-duck is doing DNS probing (port UDP 53), since you cannot ping (ICMP) dns.msftncsi.com - I wanted to change this dns.msftncsi.com destination to something that is pingable (for example cloudflare.com; 198.41.214.162 2400:cb00:2048:1::c629:d6a2)

before that I have decided to test if this actually does anything, so on purpose I have enter data that is wrong and not reachable (either DNS probe or ICMP)

Code:
nvram set dns_probe_host=non-existent.domain.tld
nvram set dns_probe_content=192.168.280.505
nvram commit
reboot
on Tools - Other Settings -> Wan: Use DNS probes to determine if WAN is up (default: Yes) (Yes is checked)

Internet status: Connected
in System Log - there are no errors related to wan-duck or probing, or whatsoever

right now I am clueless, tested on Asus RT-AC68U running Merlin Firmware Version 380.69
primary WAN is WAN connected to cable modem (WAN Connection Type - Automatic IP) DHCP
Probing every two seconds with a failure and then not act upon? Sounds like you found a bug.
But seriously, there are more ways for the router to check if WAN is up, this probing is just one of them. If you set it to a fake domains it may ignore its down reporting as other services report the WAN connection to be up.
 

RMerlin

Asuswrt-Merlin dev
If you clear the variable, it will disable the watchdog. That's what the setting in my firmware does.
 

thelonelycoder

Part of the Furniture
If you clear the variable, it will disable the watchdog. That's what the setting in my firmware does.
I was wondering today what good soul put that in! Thanks!
 

peraburek

Senior Member
@RMelin - which variable are you reffering to, dns_probe_host or dns_probe_content or both ??

still I think this could/should be qualified as a bug

it should report somewhere dns_probe_host (non-existent.domain.tld) is not reachable
or
dns_probe_content (192.168.280.505) IP is not correct

if I enter only (correct) dns_probe_host (cloudflare.com) will it pick up IP alone for dns_probe_content ?
or does it work other way round if you add only dns_probe_content - does it populate dns_probe_host alone ?

trying to figure out how this works, in order to isolate root-cause of dual-wan failover problem
 

RMerlin

Asuswrt-Merlin dev
dns_probe_content. Just clear its content to disable the feature.

Note that this will break Dual WAN mode however.
 

peraburek

Senior Member
dns_probe_content. Just clear its content to disable the feature.

Note that this will break Dual WAN mode however.
I will test this

does router test dns_probe_host and expect IP listed in dns_probe_content?
if I add
dns_probe_host=cloudflare.com

but leave Microsoft IPs in
dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1

it doesn't make much sense, still dns probe test will "pass"?

is there command to test ASUS wanduck dns probe?
 

RMerlin

Asuswrt-Merlin dev
I don't know, I never dug any further on this because personally I simply don't care (Windows desktops already poll that same DNS anyway). I only know that the watchdog won't do anything if dns_probe_content is empty.
 

RMerlin

Asuswrt-Merlin dev
Any possibility to turn it off via GUI? (rt86u)
Asus already added this in 384_45149, on the Administration -> System page.
 

RMerlin

Asuswrt-Merlin dev
Is it ? Because I have both checkboxes unchecked and I can still see loads of requests going through
Are you sure the requests aren't coming from your Windows devices?
 

wheelq

Regular Contributor
Are you sure the requests aren't coming from your Windows devices?
I am sure, I used nvram method, and now there is complete silence ;)
weird...but it works!

And I set same setting on two routers - 86 and 87, 87 was still probing
 

GHammer

Senior Member
I have no Microsoft devices in the house.
I get 1000s of these entries daily in my pihole.
So, just deselecting the 'Network Monitoring' check boxes does not stop the check?
Here's the nvram from my 86U running 384.9

Code:
nvram show | grep dns_probe
size: 64853 bytes (66219 left)
dns_probe=0
dns_probe_content=131.107.255.255 112.4.20.71 fd3e:4f5a:5b81::1
dns_probe_host=dns.msftncsi.com
 

EmeraldDeer

Very Senior Member
I have no Microsoft devices in the house.
I get 1000s of these entries daily in my pihole.
So, just deselecting the 'Network Monitoring' check boxes does not stop the check?
Here's the nvram from my 86U running 384.9

Code:
nvram show | grep dns_probe
size: 64853 bytes (66219 left)
dns_probe=0
dns_probe_content=131.107.255.255 112.4.20.71 fd3e:4f5a:5b81::1
dns_probe_host=dns.msftncsi.com
I noticed the same behavior. But if you:
Code:
nvram set dns_probe_content=""
the entries will cease. Caveat: doing so will break dual WAN if you are using it.
 

thobux

Occasional Visitor
I noticed the same behavior. But if you:
Code:
nvram set dns_probe_content=""
the entries will cease. Caveat: doing so will break dual WAN if you are using it.
I got the same issue here. does it just hide the entries or does it stop the probing effectively?
 

EmeraldDeer

Very Senior Member
I got the same issue here. does it just hide the entries or does it stop the probing effectively?
Stops the DNS lookups
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top