I just installed one HAP ac at one customer, they got NEW HP switch with fiber connection to internet from ISP, and its connected to my LAN1 port on Mikrotik which has fixed ip 192.168.1.3, than all is routed out thru LAN port 2 on mikrotik on range 192.168.100.0/24 to customers internal netowrk.

Now what i dont understand is that mikrotik constantly sends outgoing port 53 packets to google server 8.8.8.8(Its set as main under IP>DNS), making 100gb of upload traffic in only one week! Dont understand why its constantly sending this requests, dns caching is working properly it should only ping/send requests to DNS server when new address is requested or cache expires.

BTW i did try block input DNS ports on that interface, its picking very few packets here and there, so im not under some kinda of attack (DDOS).

Also i checked outgoing interface connected to customers network, it has 10x less traffic than LAN1 connected to ISP router, so this traffic indeed is only generated between Mikrotik and ISP router.

Anyone has any idea whats going on?

Check the DNS cache, but this is a likely explanation, depending on the number of clients using your DNS.

Check the DNS cache, but this is a likely explanation, depending on the number of clients using your DNS.

Even if u unplug entire network, meaning only Mikrotik leaves, this DNS requests still go .

And we are talking about like 20 clients max who use internet lightly, its impossible they do 100gb DNS traffic over week, they would need to request likie milions of different web pages to do that..

Check the DNS cache, but this is a likely explanation, depending on the number of clients using your DNS.

Even if u unplug entire network, meaning only Mikrotik leaves, this DNS requests still go .

And we are talking about like 20 clients max who use internet lightly, its impossible they do 100gb DNS traffic over week, they would need to request likie milions of different web pages to do that..

1. any chance that you use a (non-existent) domain name as an
   Code: Select all

   /ip firewall address-list

   address? Such items automatically resolve to IP addresses and I have no idea what is the retry interval if the response doesn't come or says "unknown".
2. can you sniff the uplink port into a .pcap file, filtering on UDP port 53, and see what the queries ask for using Wireshark?

Check the DNS cache, but this is a likely explanation, depending on the number of clients using your DNS.

Even if u unplug entire network, meaning only Mikrotik leaves, this DNS requests still go .

And we are talking about like 20 clients max who use internet lightly, its impossible they do 100gb DNS traffic over week, they would need to request likie milions of different web pages to do that..

1. any chance that you use a (non-existent) domain name as an
   Code: Select all

   /ip firewall address-list

   address? Such items automatically resolve to IP addresses and I have no idea what is the retry interval if the response doesn't come or says "unknown".
2. can you sniff the uplink port into a .pcap file, filtering on UDP port 53, and see what the queries ask for using Wireshark?

I do have alot if domains under adress-list, to control windows update servers and similar, but im using 100% the same address list in about 20 locations, and exactly the same clone of HAP AC configuration, and it doesnt happen on any of them.

Wireshark shows all standard query packets, and gets responding ip addresses resolved back , but i do see them repeating, even it already got proper ip adresses reported back, and domain and ip exist.
Still doesnt make sense, if it does return proper IP why is it repeating requests and not simple cashing it?Cache size is enough and i set it to 60048KiB, while in use its only 900KiB.

Also, currently is doing on average 200mb of traffic only on that 53 port in day, still doesnt explain how did it do 100 000 MB in one week, and it was over holidays nobody was even using internet.I have mangle/queue rule to show/control port 53 traffic, so i know exactly how much it consumed.

Wireshark shows all standard query packets, and gets responding ip addresses resolved back , but i do see them repeating, even it already got proper ip adresses reported back, and domain and ip exist.
Still doesnt make sense, if it does return proper IP why is it repeating requests and not simple cashing it?Cache size is enough and i set it to 60048KiB, while in use its only 900KiB.

If the responses to those repeating queries show normal record lifetimes, I would netinstall the device (or downgrade it and upgrade it back).

Wireshark shows all standard query packets, and gets responding ip addresses resolved back , but i do see them repeating, even it already got proper ip adresses reported back, and domain and ip exist.
Still doesnt make sense, if it does return proper IP why is it repeating requests and not simple cashing it?Cache size is enough and i set it to 60048KiB, while in use its only 900KiB.

If the responses to those repeating queries show normal record lifetimes, I would netinstall the device (or downgrade it and upgrade it back).

Mhm, i can try that, but ill wait first for Mikrotik support to check my suppout file maybe they notice something.

Thank you very much for your help!

what ros version is the hap ac?
it might be infected.

6.41rc52, doubt it's infected, it was installed 2 months ago, had latest version of os since installed, I have very stric firewall rules, I drop dns requests from net etc.. router has complex pass etc.

Well it simple stopped, now it had like 30mb dns traffic in a week, i did nothing, upgraded or even rebooted router.

Will monitor if it happens again.

Pretty sure that 'Firewall/Address Lists' generate the storm of local dns query.
If you use names in you 'Address List' resolving of it produce local dns query about every 20 sec.
Sometimes if 'Max. Concurrent Queries' not enough it leads to failed requests.

We need some kind of setting to limit such behavior of 'Firewall/Address Lists' !