We have a CCR1036-8G-2S+ running RouterOS 6.46.1. It has over 1000 PPPoE sessions running to our customers. Every one of these sessions is getting a DNS requests sent to the client routers approx every 1.5 secs. The Dst addresses are always 8.8.8.8 AND every other server configured in the router's DNS settings. Of course the client routers don't have those servers and just send the packet back. They are only 64 byte packets but over 1000 every 1.5 secs still consumes our precious WAN links.
Why is this so? How do I stop it?
Here is a packet trace
# TIME IN.. SRC-ADDRESS DST-ADDRESS IP-.. SIZE CPU FP
0 0.452 <p.. 100.127.1.3:5678 (discovery) 8.8.8.8:53 (dns) udp 64 34 no
1 0.453 <p.. 100.127.1.3:5678 (discovery) 8.8.8.8:53 (dns) udp 64 29 no
2 0.507 <p.. 100.127.1.3:5678 (discovery) 103.22.144.1:53 (dns) udp 64 34 no
3 0.508 <p.. 100.127.1.3:5678 (discovery) 103.22.144.1:53 (dns) udp 64 29 no
4 2.144 <p.. 100.127.1.3:5678 (discovery) 8.8.8.8:53 (dns) udp 64 34 no
5 2.144 <p.. 100.127.1.3:5678 (discovery) 8.8.8.8:53 (dns) udp 64 29 no
6 2.238 <p.. 100.127.1.3:5678 (discovery) 103.22.144.1:53 (dns) udp 64 34 no
7 2.239 <p.. 100.127.1.3:5678 (discovery) 103.22.144.1:53 (dns) udp 64 29 no
8 3.083 <p.. 100.64.0.10:59027 20.190.167.149:443 (https) tcp 60 29 no
9 3.891 <p.. 100.127.1.3:5678 (discovery) 8.8.8.8:53 (dns) udp 64 34 no
10 3.891 <p.. 100.127.1.3:5678 (discovery) 8.8.8.8:53 (dns) udp 64 29 no
11 4.001 <p.. 100.127.1.3:5678 (discovery) 103.22.144.1:53 (dns) udp 64 34 no
12 4.002 <p.. 100.127.1.3:5678 (discovery) 103.22.144.1:53 (dns) udp 64 29 no
In this example, 100.127.1.3, is the Local address in this clients PPP profile (an address on this NAS router). Other profiles use their own local address. At the time, only 103.22.144.1 is configured as a DNS server. If I add another one there will be another set of packets for that too. If I change the DNS timeout value (to say 4 secs), nothing changes, the frequency remains at about 1.5 secs. The DNS(s) configured on the PPP profile do not influence the problem, only the DNS for the router itself.
[admin@YL4-DC-AGG-01] /ip dns> print
servers: 103.22.144.1
dynamic-servers:
allow-remote-requests: no
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 19KiB
Here is the raw packet:
0000: 45 00 00 40 87 7d 00 00 40 11 7d 9e 64 7f 01 03 E..@.}.. @.}.d...
0010: 08 08 08 08 16 2e 00 35 00 2c 82 47 74 fb 01 00 .......5 .,.Gt...
0020: 00 01 00 00 00 00 00 00 05 63 6c 6f 75 64 08 6d ........ .cloud.m
0030: 69 6b 72 6f 74 69 6b 03 63 6f 6d 00 00 01 00 01 ikrotik. com.....
Can someone help please?
Thanks, Ian