News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Why all the UDP packets to DNS?
Pages: [1]
Topic: Why all the UDP packets to DNS?  (Read 1850 times)
« on: November 24, 2011, 04:33:37 »
nyan *
Posts: 2
I have an unusual problem with m0n0wall.
The router on which M0n0wall is installed is sending large numbers
of UDP packets to my ISP's DNS
It isnt any computer doing this, because it happens even when all
computers are disconnected and only my routers are running.
It stops when I disconnect the m0n0wall router
Let me explain the setup I have.

between the internet connection and my m0n0wall box is a netgear FVS328
behind that on a private address range is my m0n0wall box.

the LAN address on the netgear is 172.16.5.254

the WAN address of my m0n0wall is 172.16.5.3

here is a sample of the logs from the fvs328

[Wed, 2011-11-23 19:31:11] - UDP Packet - Source:172.16.5.3,64848 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:11] - UDP Packet - Source:172.16.5.3,64712 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:12] - UDP Packet - Source:172.16.5.3,65194 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:14] - UDP Packet - Source:172.16.5.3,64875 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:15] - UDP Packet - Source:172.16.5.3,65117 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:16] - UDP Packet - Source:172.16.5.3,65526 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:17] - UDP Packet - Source:172.16.5.3,65424 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:17] - UDP Packet - Source:172.16.5.3,65475 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:19] - UDP Packet - Source:172.16.5.3,64652 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:25] - UDP Packet - Source:172.16.5.3,64975 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:25] - UDP Packet - Source:172.16.5.3,65162 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:26] - UDP Packet - Source:172.16.5.3,65431 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:27] - UDP Packet - Source:172.16.5.3,64831 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:28] - UDP Packet - Source:172.16.5.3,64951 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:28] - UDP Packet - Source:172.16.5.3,65396 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:30] - UDP Packet - Source:172.16.5.3,65391 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:31] - UDP Packet - Source:172.16.5.3,65254 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:32] - UDP Packet - Source:172.16.5.3,65158 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:33] - UDP Packet - Source:172.16.5.3,64842 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]
[Wed, 2011-11-23 19:31:33] - UDP Packet - Source:172.16.5.3,65177 ,LAN - Destination:194.168.4.100,53[DNS] ,WAN [Forward] - [Outbound Default rule match]

this is a concern because this is continuous and IMHO should not be happening. I am only hoping my isp doesnt think I am trying to DOS their DNS servers

What am I overlooking in the m0n0wall setup?

Again I repeat - this happens even when there are no computers connected via any means to the network and stops when the m0n0wall device is switched off.
It does not happen with any other routers i have
« Last Edit: November 24, 2011, 04:35:56 by nyan »
« Reply #1 on: November 24, 2011, 04:58:50 »
nyan *
Posts: 2
OK I solved this by making the WAN interface a static address and setting the netgear router
as the default DNS on the m0n0wall "General Setup" page.

It is now pinging my netgear router but at least its not hassling my isp's dns anymore
at least i dont think it is.

Now I just need a solution to stop it querying my netgear router all the time
« Reply #2 on: November 29, 2011, 04:49:49 »
cmb *****
Posts: 851
The only way I can think of that m0n0wall will send out that many DNS queries is if something is using its DNS forwarder and it's trying to resolve names for that host. Getting a packet capture of what the actual DNS queries are would be helpful. m0n0wall itself will only resolve names for a very few things, one of which would be the NTP time sync (which wouldn't happen anywhere near that frequently for a long period), and if you have FQDNs defined in IPsec.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines