What's new

Constant unwanted traffic to dns.msftncsi.com from RT-AC66U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

aleph-1

New Around Here
Hi there,

I have spotted a lot of traffic to dns.msftncsi.com non stop, day and night.BUT, I have no windows s/w in my network

To really narrow it down, I have switched off all 25 devices on my network, to end up with the router (RT-AC66U), pi hole & a ubuntu laptop. Still 4 queries per minute !!

On another forum (pi-hole) , I gained the following insight:
----------Snip ----------
It's your Router

Found this here

New WAN state detection code from Asus. Make sure you aren't blocking dns.msftncsi.com.

Github file where you can find it.
-------Snip---------

I'm running stock firmware on the router: 3.0.0.4.380_4005.

Is there anything i can do to stop this? I can't find a setting in the config pages of the router to switch off Wan state detection, but I don't need it, and it's flooding my monitoring logs.

Thanks for any help
 
Hi all
After a little bit of messing around I’ve learnt more about how the router works and how to fix this. Its more of a workaround than a fix but works for me.

Ive added this back in the forum for anyone else who is interested, or if anyone to point out a better solution.Here are the steps:

-1-enable telnet.

-2-telnet into your router (login & pw is the the same as your web interface)

-3- were going to change the nvram settings but its worth having a look at the default first so do a: nvram show | sort | more

-4- look for: the dns_probe_content and dns_probe_host entries. These have the addresses that were giving me the problem

-5- Set dns_probe_content using: nvram set dns_probe_content=127.0.0.1

-6- set dns_probe_host using: nvram set dns_probe_host="" (note "" = null, ie blank, ie not even a space)

-7- Save these entries: nvram commit

-8- reboot the router: reboot

-9- telnet back in when the router is up and check the entires have held by doing another nvram show.

I've looked at the git hub code and can't quite work out if the null dns_probe_host is handled properly. However, is now been 24 hours and all is ok with the router, no loss in performance,or connectivity. Crucially I don't have thousands of unwanted dns queries to microsoft to check if I have internet connectivity!

hope this helps
 
Thanks for posting. I am running stock firmware version 3.0.0.4.380.3941 on a RT-AC88U. I have made the changes per your suggestion and it has eliminated all of the annoying "WAN Connection: DNS probe failed" entries in the system log. One minor change from your suggestion is that I set dns_probe_content=0.0.0.0 instead of 127.0.0.1. It has been about 24 hours since making the nvram changes and all is well.
 
raising old topic, due to bug that is still there

I am trying to figure out what is actually going on with Asus WAN probing (wan-duck ?)

so I did the following

Code:
nvram show | grep dns_probe
dns_probe_host=dns.msftncsi.com
dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1

I know wan-duck is doing DNS probing (port UDP 53), since you cannot ping (ICMP) dns.msftncsi.com - I wanted to change this dns.msftncsi.com destination to something that is pingable (for example cloudflare.com; 198.41.214.162 2400:cb00:2048:1::c629:d6a2)

before that I have decided to test if this actually does anything, so on purpose I have enter data that is wrong and not reachable (either DNS probe or ICMP)

Code:
nvram set dns_probe_host=non-existent.domain.tld
nvram set dns_probe_content=192.168.280.505
nvram commit
reboot

on Tools - Other Settings -> Wan: Use DNS probes to determine if WAN is up (default: Yes) (Yes is checked)

Internet status: Connected
in System Log - there are no errors related to wan-duck or probing, or whatsoever

right now I am clueless, tested on Asus RT-AC68U running Merlin Firmware Version 380.69
primary WAN is WAN connected to cable modem (WAN Connection Type - Automatic IP) DHCP
 
raising old topic, due to bug that is still there

I am trying to figure out what is actually going on with Asus WAN probing (wan-duck ?)

so I did the following

Code:
nvram show | grep dns_probe
dns_probe_host=dns.msftncsi.com
dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1

I know wan-duck is doing DNS probing (port UDP 53), since you cannot ping (ICMP) dns.msftncsi.com - I wanted to change this dns.msftncsi.com destination to something that is pingable (for example cloudflare.com; 198.41.214.162 2400:cb00:2048:1::c629:d6a2)

before that I have decided to test if this actually does anything, so on purpose I have enter data that is wrong and not reachable (either DNS probe or ICMP)

Code:
nvram set dns_probe_host=non-existent.domain.tld
nvram set dns_probe_content=192.168.280.505
nvram commit
reboot

on Tools - Other Settings -> Wan: Use DNS probes to determine if WAN is up (default: Yes) (Yes is checked)

Internet status: Connected
in System Log - there are no errors related to wan-duck or probing, or whatsoever

right now I am clueless, tested on Asus RT-AC68U running Merlin Firmware Version 380.69
primary WAN is WAN connected to cable modem (WAN Connection Type - Automatic IP) DHCP
Probing every two seconds with a failure and then not act upon? Sounds like you found a bug.
But seriously, there are more ways for the router to check if WAN is up, this probing is just one of them. If you set it to a fake domains it may ignore its down reporting as other services report the WAN connection to be up.
 
If you clear the variable, it will disable the watchdog. That's what the setting in my firmware does.
 
If you clear the variable, it will disable the watchdog. That's what the setting in my firmware does.
I was wondering today what good soul put that in! Thanks!
 
@RMelin - which variable are you reffering to, dns_probe_host or dns_probe_content or both ??

still I think this could/should be qualified as a bug

it should report somewhere dns_probe_host (non-existent.domain.tld) is not reachable
or
dns_probe_content (192.168.280.505) IP is not correct

if I enter only (correct) dns_probe_host (cloudflare.com) will it pick up IP alone for dns_probe_content ?
or does it work other way round if you add only dns_probe_content - does it populate dns_probe_host alone ?

trying to figure out how this works, in order to isolate root-cause of dual-wan failover problem
 
dns_probe_content. Just clear its content to disable the feature.

Note that this will break Dual WAN mode however.
 
dns_probe_content. Just clear its content to disable the feature.

Note that this will break Dual WAN mode however.

I will test this

does router test dns_probe_host and expect IP listed in dns_probe_content?
if I add
dns_probe_host=cloudflare.com

but leave Microsoft IPs in
dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1

it doesn't make much sense, still dns probe test will "pass"?

is there command to test ASUS wanduck dns probe?
 
I don't know, I never dug any further on this because personally I simply don't care (Windows desktops already poll that same DNS anyway). I only know that the watchdog won't do anything if dns_probe_content is empty.
 
Any possibility to turn it off via GUI? (rt86u)

Asus already added this in 384_45149, on the Administration -> System page.
 
Is it ? Because I have both checkboxes unchecked and I can still see loads of requests going through

Are you sure the requests aren't coming from your Windows devices?
 
Are you sure the requests aren't coming from your Windows devices?
I am sure, I used nvram method, and now there is complete silence ;)
weird...but it works!

And I set same setting on two routers - 86 and 87, 87 was still probing
 
I have no Microsoft devices in the house.
I get 1000s of these entries daily in my pihole.
So, just deselecting the 'Network Monitoring' check boxes does not stop the check?
Here's the nvram from my 86U running 384.9

Code:
nvram show | grep dns_probe
size: 64853 bytes (66219 left)
dns_probe=0
dns_probe_content=131.107.255.255 112.4.20.71 fd3e:4f5a:5b81::1
dns_probe_host=dns.msftncsi.com
 
I have no Microsoft devices in the house.
I get 1000s of these entries daily in my pihole.
So, just deselecting the 'Network Monitoring' check boxes does not stop the check?
Here's the nvram from my 86U running 384.9

Code:
nvram show | grep dns_probe
size: 64853 bytes (66219 left)
dns_probe=0
dns_probe_content=131.107.255.255 112.4.20.71 fd3e:4f5a:5b81::1
dns_probe_host=dns.msftncsi.com
I noticed the same behavior. But if you:
Code:
nvram set dns_probe_content=""
the entries will cease. Caveat: doing so will break dual WAN if you are using it.
 
I noticed the same behavior. But if you:
Code:
nvram set dns_probe_content=""
the entries will cease. Caveat: doing so will break dual WAN if you are using it.
I got the same issue here. does it just hide the entries or does it stop the probing effectively?
 
I got the same issue here. does it just hide the entries or does it stop the probing effectively?
Stops the DNS lookups
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top