Hi, I am not sure how best to ask about this, and I have now partially solved the problem - if indeed it is a problem!
I have been seeing hundreds of DNS requests in my firewall connections table. They have a timeout of about 3 minutes and as soon as they time out, they are replaced by more. I normally have 20-60 connections on my network, but recently I have been seeing 500-600. Nearly all from my own desktop to my Mikrotik router (RB2011) UDP port 53.
I started suspecting an amplification attack, although packet sizes were small and they originate from inside my network to the router.
Eventually, I ran Wireshark on the desktop (filtering for DNS requests only) and found that all of these persistent requests were lookups for the hostname “router”. This is the name I gave my RB2011 and set up the A record in the Static DNS on this router. (Can you see where this is going…?) I happen to be logging into the router using webfig using the hostname as the URL instead of the IP address. It seems Webfig is continually asking the DNS to lookup every time an update happens!
Can anyone tell me if this is entirely as expected, or if I have misconfigured DNS settings on the router? I realise I have not provided any specific info, but if you need any I will provide it.
Feel free to poke fun and laugh at a rookie error!!
Thanks.
Nothing to laugh at. Just tried the same and got the same result.
It’s actually not a matter of WebFig but of the browser which keeps asking for an IPv6 translation (AAAA record) of the DNS name although it has got the IPv4 translation (A record), and the Mikrotik which does respond to the AAAA queries but provides no address in the response. So if you do use IPv6, add another /ip dns static row with the IPv6 address of the router; if you don’t, you can set any formally correct IPv6 address. Even if the ipv6 package is not enabled on your router, /ip dns static rows with IPv6 addresses can be added.
Thanks very much for the explanation! I had seen pairs of A and AAAA requests in wireshark, but hadn’t realised that ip6 was the culprit! Looking closer there were no IP addresses in the response to the AAAA requests as you pointed out.
I don’t use Ip6 at all, so (I’m using Firefox) I disabled ip6 resolution in the firefox settings and now I’m seeing only A record lookups. Webfig still seems to be requesting lookups on every refresh, but the timeout is now only 5 seconds, so they are taken down and replaced much quicker, leaving a reasonable number of open connections.
This leaves the question, why was the timeout 3 minutes for the AAAA requests? As I understand it, DNS requests should have a timeout of 5 seconds. Where is this set? (router/browser/OS?)
Thanks,
Neil.
That’s strange enough on its own. Normally, the application asks via the OS, which caches the answers for the time indicated in the answer itself (the Time To Live field). In RouterOS, if you don’t specify any TTL when adding the /ip dns static row, it is set to 1d. So unless you’ve manually set it to 5s, you should not see a query for it every 5 seconds even if the application (browser) was asking that often, as the DNS cache only forwards the query to the external server if the previously received answer has expired in the cache.
I think the problem was that the AAAA answer was coming but wasn’t useful. Hence it wasn’t cached, and whenever the WebFig javascript asked to open a new session, a new AAAA query was created. Whether Firefox tracks this and stops asking for a particular AAAA record if it consistently keeps receiving useless answers for 3 minutes is beyond my knowledge.