Community discussions

 
Saleh9416
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Wed Feb 03, 2016 6:21 am

DNS high CPU usage

Thu Nov 08, 2018 2:40 am

Hello!

I'm noticing a high CPU usage at different times of the day and after using the profile tool, it appeared DNS was the culprit! I checked DNS and noticed the cache is increasing rapidly and filled with weird entries.

I'm allowing remote requests and I already have a firewall rule to drop DNS requests from WAN.

I sent an email to support regarding this problem days ago, but they didn't reply!
You do not have the required permissions to view the files attached to this post.
 
mistry7
Forum Guru
Forum Guru
Posts: 1330
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: DNS high CPU usage

Thu Nov 08, 2018 4:17 am

 
Cvan
Member Candidate
Member Candidate
Posts: 111
Joined: Sat Jun 09, 2018 3:32 am

Re: DNS high CPU usage

Thu Nov 08, 2018 4:30 am

I get the same unknown entries; except the entries are for internal nodes on intrAnet..
I already have the DNS firewall rules in place for WAN.. why do I get these UNKNOWN type entries in MT DNS cache??
 
Saleh9416
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Wed Feb 03, 2016 6:21 am

Re: DNS high CPU usage

Thu Nov 08, 2018 4:37 am

mistry7 - I mentioned that I already have the rules to drop requests from WAN!
 
mistry7
Forum Guru
Forum Guru
Posts: 1330
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: DNS high CPU usage

Thu Nov 08, 2018 4:43 am

Export your DNS Config
 
Saleh9416
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Wed Feb 03, 2016 6:21 am

Re: DNS high CPU usage

Thu Nov 08, 2018 5:09 am

/ip dns
set allow-remote-requests=yes cache-size=20480KiB max-concurrent-queries=300 \
    max-concurrent-tcp-sessions=80 servers=8.8.8.8,8.8.4.4
 
Shadeofspirit
Member Candidate
Member Candidate
Posts: 204
Joined: Fri May 27, 2016 12:15 am
Location: Minsk
Contact:

Re: DNS high CPU usage

Thu Nov 08, 2018 7:34 am

/ip dns
set allow-remote-requests=yes cache-size=20480KiB max-concurrent-queries=300 \
    max-concurrent-tcp-sessions=80 servers=8.8.8.8,8.8.4.4
to look for source of DNS traffic you can use torch.
also, if you really had made firewall rules to block dns requests from outside, don't forget that the order of rules is important in firewall (for example if there is rule that "allow all" ot smth like that before blocking - there is no sense in blocking rule).
so, if in torch the source is outside your network = your rule doesn't work. if inside - check source computer for viruses and other software
MTCNA, MTCWE
 
Saleh9416
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Wed Feb 03, 2016 6:21 am

Re: DNS high CPU usage

Thu Nov 08, 2018 9:01 am

Shadeofspirit - the rules are on top of the filter list! and I also used this site http://openresolver.com to make sure it works.

And I'm running an open hotspot service, so it won't be an easy task to check for viruses!
 
Saleh9416
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Wed Feb 03, 2016 6:21 am

Re: DNS high CPU usage

Fri Nov 09, 2018 1:58 am

I used torch tool and didn't notice anything suspicious!

I don't know what's causing the problem and I guess MT support don't know either because they haven't replied yet and it's been a week!
 
Cvan
Member Candidate
Member Candidate
Posts: 111
Joined: Sat Jun 09, 2018 3:32 am

Re: DNS high CPU usage

Fri Nov 09, 2018 4:43 am

Same here. I don't have high DNS CPU usage but I DO have the unknown TYPE DNS entries in cache all internal...
Don't know what is causing them. Infected PC on the intrAnet...? How can I debug this, how can I track to the root?
And what does the 'N' stand for in the first column of the DNS cache table
 
Cvan
Member Candidate
Member Candidate
Posts: 111
Joined: Sat Jun 09, 2018 3:32 am

Re: DNS high CPU usage

Fri Nov 09, 2018 4:56 am

Okay, so I enabled system logging for DNS and what I noticed
was that DNS queries made by PCs on the internal domain 'host.mtdomain'
are being sent out to the ISP's DNS servers for an Answer and getting
a reply back from the ISP's DNS servers with 'name error' maybe that is
where the 0.0.0.0 is getting added with unknown..?

So #1: How do I tell the MT router to NOT send DNS queries for internal domains to the ISP DNS servers?
 
Cvan
Member Candidate
Member Candidate
Posts: 111
Joined: Sat Jun 09, 2018 3:32 am

Re: DNS high CPU usage

Fri Nov 09, 2018 5:22 am

So after capturing some DNS logging to file I was able to pinpoint what looks like a PC that is infected that is sending random DNS queries for non-existent internal hosts; example (jnyyhwarsradr.fic)
what to make of this?

dns,packet --- got query from 10.0.0.169:50391:
Nov/09/2018 14:12:35 dns,packet id:8e71 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
Nov/09/2018 14:12:35 dns,packet question: jnyyhwarsradr.fic:A:IN
Nov/09/2018 14:12:35 dns query from 10.0.0.169: #16483371 jnyyhwarsradr.fic. A
Nov/09/2018 14:12:35 dns,packet --- sending udp query to 59.86.160.27:53:
Nov/09/2018 14:12:35 dns,packet id:f1fc rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
Nov/09/2018 14:12:35 dns,packet question: jnyyhwarsradr.fic:A:IN
Nov/09/2018 14:12:35 dns,packet --- got query from 10.0.0.169:54500:
Nov/09/2018 14:12:35 dns,packet id:fe9b rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
Nov/09/2018 14:12:35 dns,packet question: ychjbquor.fic:A:IN
Nov/09/2018 14:12:35 dns query from 10.0.0.169: #16483372 ychjbquor.fic. A
Nov/09/2018 14:12:35 dns,packet --- sending udp query to 59.86.160.27:53:
Nov/09/2018 14:12:35 dns,packet id:146e rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
Nov/09/2018 14:12:35 dns,packet question: ychjbquor.fic:A:IN
Nov/09/2018 14:12:35 dns,packet --- got query from 10.0.0.169:64073:
Nov/09/2018 14:12:35 dns,packet id:63b1 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
Nov/09/2018 14:12:35 dns,packet question: uengnhqnsa.fic:A:IN
Nov/09/2018 14:12:35 dns query from 10.0.0.169: #16483373 uengnhqnsa.fic. A
Nov/09/2018 14:12:35 dns,packet --- sending udp query to 59.86.160.27:53:
Nov/09/2018 14:12:35 dns,packet id:56ac rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
Nov/09/2018 14:12:35 dns,packet question: uengnhqnsa.fic:A:IN
Nov/09/2018 14:12:35 dns,packet --- got answer from 59.86.160.27:53:
Nov/09/2018 14:12:35 dns,packet id:f1fc rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'name error'
Nov/09/2018 14:12:35 dns,packet question: jnyyhwarsradr.fic:A:IN
Nov/09/2018 14:12:35 dns,packet authority:
Nov/09/2018 14:12:35 dns,packet <:SOA:3600=serial:2018110801 refresh:1800 retry:900 expire:604800 min:86400 >
Nov/09/2018 14:12:35 dns done query: #16483371 dns name does not exist
Nov/09/2018 14:12:35 dns,packet --- sending reply to 10.0.0.169:50391:
Nov/09/2018 14:12:35 dns,packet id:8e71 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'name error'
Nov/09/2018 14:12:35 dns,packet question: jnyyhwarsradr.fic:A:IN
Nov/09/2018 14:12:35 dns,packet --- got answer from 59.86.160.27:53:
Nov/09/2018 14:12:35 dns,packet id:146e rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'name error'
Nov/09/2018 14:12:35 dns,packet question: ychjbquor.fic:A:IN
Nov/09/2018 14:12:35 dns,packet authority:
Nov/09/2018 14:12:35 dns,packet <:SOA:3600=serial:2018110801 refresh:1800 retry:900 expire:604800 min:86400 >
Nov/09/2018 14:12:35 dns done query: #16483372 dns name does not exist
Nov/09/2018 14:12:35 dns,packet --- sending reply to 10.0.0.169:54500:
Nov/09/2018 14:12:35 dns,packet id:fe9b rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'name error'
Nov/09/2018 14:12:35 dns,packet question: ychjbquor.fic:A:IN
Nov/09/2018 14:12:35 dns,packet --- got answer from 59.86.160.27:53:
Nov/09/2018 14:12:35 dns,packet id:56ac rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'name error'
Nov/09/2018 14:12:35 dns,packet question: uengnhqnsa.fic:A:IN
Nov/09/2018 14:12:35 dns,packet authority:
Nov/09/2018 14:12:35 dns,packet <:SOA:3600=serial:2018110801 refresh:1800 retry:900 expire:604800 min:86400 >
Nov/09/2018 14:12:35 dns done query: #16483373 dns name does not exist
Nov/09/2018 14:12:35 dns,packet --- sending reply to 10.0.0.169:64073:
Nov/09/2018 14:12:35 dns,packet id:63b1 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'name error'
Nov/09/2018 14:12:35 dns,packet question: uengnhqnsa.fic:A:IN
Nov/09/2018

Who is online

Users browsing this forum: Majestic-12 [Bot] and 76 guests