Community discussions

MUM Europe 2020
 
mrzipf2
just joined
Topic Author
Posts: 24
Joined: Sun Mar 12, 2017 1:44 pm

Looking up cloud.mikrotik.com every second

Mon Aug 27, 2018 12:11 am

Hi all

We have 2 mikrotik routers in our home - a Hex POE and a Wap AC. We just move home and ISP and switched to use OpenDNS to provide family controls. OpenDNS provides stats on number of DNS queries. For the four days since we've moved to OpenDNS we have ~172,800 DNS lookups per day for cloud.mikrotik.com. Both devices are running v6.42.7.

As a first "fix", I followed the instructions here to make sure IP/cloud was disabled on both devices:

viewtopic.php?t=110904

It made no difference. I added a static DNS entry and this made no difference either.

Any ideas on why so many requests?

Thanks
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Looking up cloud.mikrotik.com every second

Mon Aug 27, 2018 11:18 pm

Under the IP>Cloud setting, check to see if the time update function is ticked (by default it usually is) as this will keep looking time up. Enter your chosen NTP server in System>SNTP client instead.

That "should" sort it.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
mrzipf2
just joined
Topic Author
Posts: 24
Joined: Sun Mar 12, 2017 1:44 pm

Re: Looking up cloud.mikrotik.com every second

Wed Aug 29, 2018 12:01 am

Thanks Steve

I think I'm starting from about where you suggest:

/ip cloud print
ddns-enabled: no
update-time: no

/system ntp client print
enabled: yes
primary-ntp: 139.143.5.30
secondary-ntp: 193.150.34.2
server-dns-names:
mode: unicast
poll-interval: 15m
active-server: 193.150.34.2
last-update-from: 193.150.34.2
last-update-before: 14m54s40ms
last-adjustment: 10ms293us

I spent some time packet sniffing and all the requests come from our gateway router (Hex POE) and emitted directly into the PPPoE connection. There are concurrent requests for cloud.mikrotik.com to both configured OpenDNS servers. The observed request rate was lower than the OpenDNS stats suggest (172,396 requests from our static IP yesterday).

One setting that looks wrong is not accepting remote DNS requests (currently false). I'll toggle this and see if it has any impact.

Thanks
Mr Zipf
 
mrzipf2
just joined
Topic Author
Posts: 24
Joined: Sun Mar 12, 2017 1:44 pm

Re: Looking up cloud.mikrotik.com every second

Sun Sep 02, 2018 11:58 am

As a follow-up, the rate of DNS requests for cloud.mikrotik.com reported by OpenDNS has dropped down to just 1400 per day.

It appears to have done this just at the time I started streaming packet captures. I have no traces with the peak rate.

In those traces, I see queries for cloud.mikrotik.com going to both OpenDNS servers configured, but also to the Google public DNS 8.8.8.8 (which is not configured)?

What are the steps to disable this feature entirely? We have all the options here set to no (and a fixed IP address):

https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

Thanks
 
mrzipf2
just joined
Topic Author
Posts: 24
Joined: Sun Mar 12, 2017 1:44 pm

Re: Looking up cloud.mikrotik.com every second

Wed Oct 10, 2018 9:28 pm

Puzzling update. For no obvious reason, my mikrotik hardware with IP/cloud disabled is back to generating tens of thousands of DNS requests to cloud.mikrotik.com.

So far today 129,442 DNS requests for cloud.mikrotik.com and yesterday 88,907. Two days ago it was idling at 1,442 requests per day and three days ago at 1,441.

No config changes during this time. All three boxes have IP cloud ddns disabled and have SNTP configured. RouterOS 6.42.3 (stable).

This appears to be the reference for configuring this feature:
https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

Does anyone from Mikrotik know why this feature does not turn off? And seemingly sends periodic packet floods?

Thanks
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Looking up cloud.mikrotik.com every second

Thu Oct 11, 2018 10:56 am

As a temporary work around have you tried making cloud.mikrotik a DNS static entry in the main router and sending the traffic nowhere? It may remove the flood of outbound DNS but obviously won't stop it as such.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Looking up cloud.mikrotik.com every second

Thu Oct 11, 2018 12:53 pm

I've checked on multiple routers we manage, there is no record of cloud.mikrotik.com so it either does not use this URL or it's used less freuqently.

Would be interesting to see if you can catch this traffic on using a firewall rule and see where it is coming from.
MTCNA MTCTCE UEWA
 
mrzipf2
just joined
Topic Author
Posts: 24
Joined: Sun Mar 12, 2017 1:44 pm

Re: Looking up cloud.mikrotik.com every second

Sat Oct 13, 2018 9:37 am

I've configured all 3 Mikrotik boxes on our network to sniff DNS traffic and forward it a host running tcpdump.

The requests for cloud.mikrotik.com appear directly on the PPPoE interface of that's our link to the external world. No requests at all from the two other Mikrotik routers acting as bridges on the internal network.

The requests go not only to the configured DNS provider but also to Google's public DNS. The router is not configured to use Mikrotik's public DNS.
  /ip dns set allow-remote-requests=yes servers=208.67.222.222,208.67.222.220
And there are firewall rules to direct internal DNS requests to the DNS provider:
  /ip firewall nat
  add action=redirect chain=dstnat dst-port=53 in-interface=bridge protocol=tcp
  add action=redirect chain=dstnat dst-port=53 in-interface=bridge protocol=udp
There is also a static DNS cache entry for cloud.mikrotik.com:
  /ip dns static
  add address=10.0.0.1 name=router
  add address=81.198.87.240 comment="The repeating router address lookup." name=cloud.mikrotik.com ttl=1w
The requests happen at much shorter intervals than the 60 seconds advertised on https://wiki.mikrotik.com/wiki/Manual:IP/Cloud
46725 42264.738922545 A.B.C.D → 208.67.222.222 DNS 125 Standard query 0x8ed0 A cloud.mikrotik.com
46726 42264.752259820 208.67.222.222 → A.B.C.D DNS 141 Standard query response 0x8ed0 A cloud.mikrotik.com A 81.198.87.240
46730 42282.798276192 A.B.C.D → 208.67.222.220 DNS 125 Standard query 0x93e4 A cloud.mikrotik.com
46731 42282.811413416 208.67.222.220 → A.B.C.D DNS 141 Standard query response 0x93e4 A cloud.mikrotik.com A 81.198.87.240
46732 42282.891949252 A.B.C.D → 8.8.8.8      DNS 125 Standard query 0xf123 A cloud.mikrotik.com
46733 42282.904804655      8.8.8.8 → A.B.C.D DNS 141 Standard query response 0xf123 A cloud.mikrotik.com A 81.198.87.240
And this is a feature that the user has turned off per Mikrotik's wiki:
/ip cloud> print 
    ddns-enabled: no
     update-time: no
  public-address: 93.89.129.17
          status: updated
Naively, this looks broken. I manually forced a cloud update yesterday to see if this would quiet this feature. No joy.

Thanks
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Looking up cloud.mikrotik.com every second

Sun Oct 14, 2018 9:37 am

Is there a chance of running 6.43? The is a new implementation of IP cloud and it may be a "legacy" feature.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
mrzipf2
just joined
Topic Author
Posts: 24
Joined: Sun Mar 12, 2017 1:44 pm

Re: Looking up cloud.mikrotik.com every second

Sun Oct 14, 2018 11:09 am

In the DNS traffic flare reported in the recent posts (October), the Mikrotik boxes are running 6.43.2.

Curiously, the number of DNS requests made for cloud.mikrotik.com has gone back done to the background level: The only changes on the box in that time is to use the force update cloud option and turn on packet sniffing.

Image

Aside from the DNS storms, I feel strongly about the feature:
  • generating any traffic at all when disabled.
  • not respecting the configured DNS settings.
Thanks
MrZipf
 
msatter
Forum Guru
Forum Guru
Posts: 1338
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Looking up cloud.mikrotik.com every second

Sun Oct 14, 2018 11:39 am

I had that with two other domains in the past weeks and will try to make a support file when it happens again.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta68 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
mrzipf2
just joined
Topic Author
Posts: 24
Joined: Sun Mar 12, 2017 1:44 pm

Re: Looking up cloud.mikrotik.com every second

Thu Oct 25, 2018 8:32 pm

It's kicked off again this week, 172,000 requires for cloud.mikrotik.com to our DNS provider and a tonne to Google's public DNS too.
 
john4669
just joined
Posts: 21
Joined: Mon Oct 23, 2017 8:35 pm

Re: Looking up cloud.mikrotik.com every second

Sun Jan 27, 2019 6:51 am

Any resolution to this!? I am having the same problem. I am running 6.43.8. Have had over 50,000 dns queries just this afternoon. Cloud and time lookup also disabled. I am going to block it with pihole in the meantime.
 
SA0BJW
just joined
Posts: 19
Joined: Sun Jul 07, 2013 12:51 am

Re: Looking up cloud.mikrotik.com every second

Tue Feb 26, 2019 10:03 pm

Same problem with two of my mAP-Lite:s. Both CapsMan clients, both connected to CapsMan Server by OVPN tunnel. Tons of DNA requests for cloud.mikrotik.com... Why?? How do I get rid of this problem?

Edit; I disabled the OVPN tunnel on one of the mAP-Lite units (6.43.12), and it stop yelling for cloud.mikrotik,com.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1413
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Looking up cloud.mikrotik.com every second

Thu Feb 28, 2019 9:07 am

There are several features in RouterOS which use cloud.mikrotik.com or cloud2.mikrotik.com server.

1) Detect Interface feature:

If enabled on your router, then all interfaces that are configured under this tool will try to resolve cloud servers domain name in order to detect Internet availability:

https://wiki.mikrotik.com/wiki/Manual:Detect_internet

"WAN interfaces that can reach cloud.mikrotik.com using UDP protocol port 30000 can obtain this state. Reachability is checked every minute. If the cloud is not reached for 3 minutes, the state falls back to WAN."

2) Cloud servers are used in order to determine your routers time zone based on your public IP address if your router settings require automatic time zone detection;

3) Cloud servers are used at the bootup in order to synchronize time with cloud server (only single time after a reboot);

4) Cloud servers are used in order to determine your routers DDNS name if you use such feature:

https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

5) Starting from v6.44 you can save and download backup by using a cloud server.

If none from above explains why do you see such traffic on your network, then please send your routers supout file to support@mikrotik.com. We will look into these cases individually.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24333
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Looking up cloud.mikrotik.com every second

Thu Feb 28, 2019 9:10 am

Could any one of you make a supout.rif file and send to support, if you have those 175000 requests per day, or any other large number?
No answer to your question? How to write posts
 
john4669
just joined
Posts: 21
Joined: Mon Oct 23, 2017 8:35 pm

Re: Looking up cloud.mikrotik.com every second

Thu Feb 28, 2019 3:16 pm

There are several features in RouterOS which use cloud.mikrotik.com or cloud2.mikrotik.com server.

1) Detect Interface feature:

If enabled on your router, then all interfaces that are configured under this tool will try to resolve cloud servers domain name in order to detect Internet availability:

https://wiki.mikrotik.com/wiki/Manual:Detect_internet

"WAN interfaces that can reach cloud.mikrotik.com using UDP protocol port 30000 can obtain this state. Reachability is checked every minute. If the cloud is not reached for 3 minutes, the state falls back to WAN."

2) Cloud servers are used in order to determine your routers time zone based on your public IP address if your router settings require automatic time zone detection;

3) Cloud servers are used at the bootup in order to synchronize time with cloud server (only single time after a reboot);

4) Cloud servers are used in order to determine your routers DDNS name if you use such feature:

https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

5) Starting from v6.44 you can save and download backup by using a cloud server.

If none from above explains why do you see such traffic on your network, then please send your routers supout file to support@mikrotik.com. We will look into these cases individually.

Turning off "Detect Internet" solved it for me! Even so, it seems strange that DNS lookups would be required multiple times a second?
 
jompha
just joined
Posts: 1
Joined: Thu Feb 15, 2018 6:12 pm

Re: Looking up cloud.mikrotik.com every second

Mon Dec 02, 2019 8:38 am

How did you log this?
46725 42264.738922545 A.B.C.D → 208.67.222.222 DNS 125 Standard query 0x8ed0 A cloud.mikrotik.com
46726 42264.752259820 208.67.222.222 → A.B.C.D DNS 141 Standard query response 0x8ed0 A cloud.mikrotik.com A 81.198.87.240
46730 42282.798276192 A.B.C.D → 208.67.222.220 DNS 125 Standard query 0x93e4 A cloud.mikrotik.com
46731 42282.811413416 208.67.222.220 → A.B.C.D DNS 141 Standard query response 0x93e4 A cloud.mikrotik.com A 81.198.87.240
46732 42282.891949252 A.B.C.D → 8.8.8.8 DNS 125 Standard query 0xf123 A cloud.mikrotik.com
46733 42282.904804655 8.8.8.8 → A.B.C.D DNS 141 Standard query response 0xf123 A cloud.mikrotik.com A 81.198.87.240

Who is online

Users browsing this forum: No registered users and 34 guests