DNS issues - overloading server

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Frostwolf

New Around Here
Last Saturday I upgraded from 386.1_0 to 386.2_0, by Monday night I was having issues with devices saying no internet or no response from DNS. I did have internet, a router reboot restored internet. Tuesday morning, no internet/dns again, I updated to 386.2_2, issue returned that evening. I swapped out DNS from ADGuard to NextDNS, internet restored.. Next morning, same thing, but with NextDNS I can see how many hits it's doing, something is overloading the DNS, about 6k request in about 30 minutes. Rebooting router fixed it, and my DNS request are back to normal.. This morning around 5am, no one awake, the DNS starts running crazy again, I show about 40k request in 3 hours, this time I can troubleshoot, I start by eliminating devices on the network, one by one I shut pc's and phones down, no change. I then SSH into the router and restart DNSMASQ (service restart_dnsmasq) and the issue stops, DNS back to normal, pulled logs from NextDNS, nothing suspicious, but it seems each entry is repeated about 6 to 8 times .. 3-4 hours later, it's back at it, almost 40k request between 12-4p . There was no one downloading or doing anything over the internet during that time.. (Screenshot below). In the router logs, set to debug since this morning, show at 12:37p, the same ten minute period it started going bonkers, it had this log "Apr 17 12:37:51 kernel: nvram: consolidating space!", going back earlier I found another entry this morning before "Apr 17 04:46:17 kernel: nvram: consolidating space!".. both just minutes before going bananas.. 2 fries short of a happy meal, wacko!

I'm considering wiping the settings and resetting it up, but I have a lot of settings, vpn and reservations.. If I export the settings and import those, I suppose I could reintroduce the issue. So I guess I'm doing that from scratch. Or I need to roll back to 386.1.

But before I don anything else, or reset the settings. Has anyone else got any trouble shooting ideas, or test I could perform before hand? I also noticed another forum where they seem to have the same issue as I'm having. https://help.nextdns.io/t/83hl722/nextdns-issues-with-dot-on-asus-merlin,
incase http link is blocked help . nextdns . io / t/ 83hl722 / nextdns-issues-with-dot-on-asus-merlin

I have DoT setup, DNS is now NextDNS< I like it very much so far. The router is RT-AC68w.

Any help is appreciated. Hope what I said above made sense, pretty exhausted at the moment.

DNS overload.png

3-4 second snapshot of log file
.
DNS snapshot.png
 
Last edited:

bbunge

Part of the Furniture
You seem to be confused about the firmware versions. 386.2_2 is current Merlin. Rolling back may help but there are security vulnerabilities in the older firmware. The Asus Beta for the AC68U is also stable but lacks features of Merlin.
Always best to choose a DNS server that is geographically close to you if you can. With DoT use at least two upstream resolvers with IPV4 and four with IPV6 (two IPV4 and two IPV6 alternated). I've not used the NextDNS add on for Merlin but I feel the security with Stubby DoT and DNSMASQ DNSSEC is more than sufficient for my needs. Try other DNS servers to find which works for you . Cloudflare security 1.1.1.2 and 1.0.0.2 work well for me.
 

Frostwolf

New Around Here
Your right, I missed editing the versions.. I am on the current build "Current Version : 386.2_2", my previous version was 386.2_0 and 386.1_0, the problem appeared on 386.2_0

I've disable DNSSEC for now, I had issues with it and the VPN active at the same time on build 386.1_0

I've already changed out DNS, and I've disabled IPV6 for now. No Addin, just using the DNS IPV4 servers, with DoT.. NextDNS reports quickly if that's working. I may need to go look for the Addin, maybe it'll show was device made each request.
 

EmeraldDeer

Very Senior Member
In order to minimize the number of queries going upstream:
  • All of your devices should use the router's dnsmasq. I don't want to configure every device so I intercept DNS requests. I disable DNS over HTTPS in browsers.
  • By default, dnsmasq does not cache queries for non-existent entries. I have a script which overrides this which substantially reduces the number of upstream queries, especially from Windows PC's.
  • When I first started using DNS over TLS, some of the providers did not have the capacity yet and many queries would fail. I have been using Quad9 for a while and have never noticed this happening again.
 

EmeraldDeer

Very Senior Member
  • You don't want the router doing DNSSEC, you want the DNS provider to do that for you and set a DNSSEC bit in the responses. If I take a DNSSEC test, it succeeds even though my router is not doing it.
  • I have IPv6 enabled. I get double the DoT servers round robin'd as a result
  • I do not want to use a vendor written plugin on my router, I want the standard Merlin firmware to handle this
  • I can't imagine a valid reason to send all of your router's traffic over a VPN
 

EmeraldDeer

Very Senior Member
  • I prefer the Internet test to be a ping rather than a DNS lookup
 

Frostwolf

New Around Here
DNSSEC is off on the router, NextDNS is a validating DNSSEC resolver.
only one device using OpenVPN and the VPN DNS, if that tunner goes down, that device is blocked until it's restored.
I'm not using any vendor addin/plugin at all, only features built in to Merlin
a few devices are setup to use DNSFilter, such as Roku and Google Home set to use 8.8.8.8, Hulu will error out if it can't get to the ads.

When this happened yesterday, there was nearly nothing turned on or even hooked up. We were rearranging everything, the only thing hooked up was a Fortinet 60e I use for VPN to work (and isolated from my network), Synology NAS, and a couple of android phones that weren't being used. All the computers were off or unplugged. I didn't even notice it had gone bonkers for 4.5 hours due to moving everything.

NVRAM consolidating space messages in logs, I've been seeing that in the logs a few times, no DNS failures matching the times of those log entries as well.

I've disabled DoS protection in Merlin, so far DNSMASQ is behaving after 12 hours. I'll report back if this seems to fix it.
 

Frostwolf

New Around Here
85 hours and 386.2_2 has been stable once I disabled DoS under Firewall.
142 hours in, still no flooding issues since turning off DoS under firewall settings. However trouble with DNS had me restart DNSMASQ to troubleshoot, and it didn't help my current issue. So the issue I opened this thread with appears solved.

My new issue appears to be related to the DNS service itself, so I added Adguard back to my list of DoT servers to fix the new issue.
 

Pierre Nakashian

Occasional Visitor
I started having weird DNS issues since I upgraded to 386.2_2. i have ASUS RT-AC5300 behind gigabit ATT router, the Netflix app on FireTV can't connect to 2 of 3 netflix servers, so it won't start, but Netflix App on AppleTV is fine. only solution i've found is to disable "connect to DNS Server Automatically" in WAN, and changed "DNS Server2" to 8.8.8.8
i left the DNS Server1 pointing to the ATT DNS, that i saw in the upstream router has.

also rebooting ASUS router sometimes wasn't getting a working DNS, so my entire home could not connect to internet. Setting one of the DNS Servers to 8.8.8.8 seems to be helping. Disabling DOS under firewall didn't help. Changing DHCP query frequency to "Normal Mode" from "Aggressive Mode" didn't help.

I don't see any fixes to DNS to 386.2_4.

I had another RT-68u setup as AP mode, the 2 routers could not see each other, but I could ssh from my laptop to both. i had to factory reset the RT-68u and configure everything manually to get it to work properly with 386.2_2, restoring saved settings from pre 386.2_2 brought the flakiness back to the RT-68u.

I'll have to byte the bullet and factory reset the RT-AC5300. this is the 1st firmware i've had to do that.
 

Frostwolf

New Around Here
Yeah this firmware 386.2_2 has something going on with DNS for sure, it's been less reliable. I still have my DNS split between NextDNS-primary and Adguard-secondary. I think I will have to wipe it to factory and set it back up from scratch as well. I'm going to try one thing first, when I get time,
https://github.com/nextdns/nextdns/wiki/AsusWRT-Merlin and set that up next.

As far as my original issue though, ive not flooded the dns server anymore. The wiped settings could resolve the DoS issue as well.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top