Community discussions

MikroTik App
 
mxcone17
just joined
Topic Author
Posts: 15
Joined: Mon Jul 20, 2020 1:27 am

DNS Cache Size Always Full

Mon May 31, 2021 8:45 am

Hello,

I have been having problems with my Mikrotik DNS cache always being maxed out. I can have 10 items in the cache but still be maxed out.
[admin@MikroTik Hex S] >> /ip dns/ cache/ print
Flags: S - STATIC
Columns: NAME, TYPE, DATA, TTL
# NAME TYPE DATA TTL
0 S router.lan A 192.168.88.1 0s
1 api.amazon.com A 52.46.158.193 49s
2 api.amazonalexa.com CNAME tp.b16066390-frontier.amazonalexa.com. 15m25s
3 tp.b16066390-frontier.amazonalexa.com CNAME d1gsg05rq1vjdw.cloudfront.net. 30s
4 d1gsg05rq1vjdw.cloudfront.net A 13.227.22.180 30s

[admin@MikroTik Hex S] >> /ip dns/ print
servers: 129.250.35.251,209.244.0.4,8.8.8.8,1.1.1.1
dynamic-servers:
use-doh-server:
verify-doh-cert: yes
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 4800KiB
cache-max-ttl: 1w
cache-used: 4800KiB
First, this only goes away when I reboot. Second, I notice it does this for any limit I set all the way up to about 4800KiB before there is any wiggle room.
When it becomes maxed like this, I begin to have issues loading pages, etc. Flushing the cache doesn't do anything, and with the cache list being empty it still shows that it has data occupied.
I am currently on the Hex S and v7.1 beta 6. I have tried downgrading to v6.49, but the problem was still there.

Here is the export hide-sensitive:
# may/30/2021 22:39:13 by RouterOS 7.1beta6
# software id = PY15-P11Z
#
# model = RB760iGS
# serial number = AE370C666F91
/interface bridge
add admin-mac=48:8F:5A:39:08:87 auto-mac=no comment=defconf dhcp-snooping=yes igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether3 ] name="ether3 lan"
set [ find default-name=ether5 ] name="ether5 wan" poe-out=forced-on
/interface pppoe-client
add add-default-route=yes disabled=no interface="ether5 wan" keepalive-timeout=disabled name=pppoe-out1conifer user=m.cone
/disk
set sd1 disabled=no
set sd1-part1 disabled=no name=disk1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=us6204.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add disabled=yes name=NordVPN pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=30m name=defconf
/queue type
add kind=sfq name=sfq-default sfq-perturb=10
/queue simple
add max-limit=4M/26M name="parent queue" target=bridge total-queue=sfq-default
add limit-at=2M/10M max-limit=3M/26M name=First parent="parent queue" priority=1/1 target="192.168.88.15/32,192.168.88.32/32,192.168.88.29/32,192.168.88.40/32,192.168.88.232/32,192.168.88.220\
/32,192.168.88.42/32,192.168.88.240/32,192.168.88.12/32,192.168.88.39/32,192.168.88.221/32,192.168.88.222/32" total-queue=sfq-default
add limit-at=512k/512k max-limit=1M/5M name=Middle parent="parent queue" priority=5/5 target="192.168.88.10/32,192.168.88.11/32,192.168.88.13/32,192.168.88.14/32,192.168.88.17/32,192.168.88.1\
8/32,192.168.88.22/32,192.168.88.23/32,192.168.88.24/32,192.168.88.25/32,192.168.88.26/32,192.168.88.53/32,192.168.88.236/32,192.168.88.237/32,192.168.88.20/32,192.168.88.19/32,192.168.88\
.16/32,192.168.88.31/32,192.168.88.35/32,192.168.88.34/32" total-queue=sfq-default
add limit-at=512k/512k max-limit=1M/8M name=last parent="parent queue" target="192.168.88.235/32,192.168.88.223/32,192.168.88.225/32,192.168.88.241/32,192.168.88.239/32,192.168.88.218/32,192.\
168.88.230/32,192.168.88.21/32,192.168.88.19/32,192.168.88.30/32,192.168.88.28/32,192.168.88.243/32,192.168.88.35/32,192.168.88.33/32" total-queue=sfq-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface="ether3 lan"
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface="ether5 wan"
add bridge=bridge comment=defconf interface=sfp1
/ip firewall connection tracking
set tcp-established-timeout=1h tcp-last-ack-timeout=15s tcp-syn-received-timeout=10s tcp-syn-sent-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether5 wan" list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid,clientid_duid disabled=no interface="ether5 wan" use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-size=4800KiB servers=129.250.35.251,209.244.0.4,8.8.8.8,1.1.1.1 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input in-interface=bridge
add action=drop chain=forward connection-limit=8,24 disabled=yes dst-address=1.1.1.1 dst-port=53 protocol=udp
add action=drop chain=forward connection-limit=8,24 disabled=yes dst-address=8.8.8.8 dst-port=53 protocol=udp
add action=drop chain=forward connection-limit=10,32 src-address=192.168.88.14
add action=drop chain=forward disabled=yes dst-address=192.168.88.25
add action=reject chain=forward connection-limit=8,32 disabled=yes protocol=tcp reject-with=icmp-network-unreachable src-address=192.168.88.34
add action=fasttrack-connection chain=forward dst-port=53 hw-offload=yes protocol=tcp
add action=accept chain=forward dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward dst-port=53 hw-offload=yes protocol=udp
add action=accept chain=forward dst-port=53 protocol=udp
add action=fasttrack-connection chain=forward dst-address=192.168.88.40 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.40
add action=fasttrack-connection chain=forward disabled=yes dst-address=192.168.88.29 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.29
add action=fasttrack-connection chain=forward dst-address=192.168.88.232 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.232
add action=fasttrack-connection chain=forward disabled=yes dst-address=192.168.88.220 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.220
add action=fasttrack-connection chain=forward disabled=yes dst-address=192.168.88.10 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.10
add action=fasttrack-connection chain=forward disabled=yes dst-address=192.168.88.42 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.42
add action=reject chain=forward connection-limit=15,32 disabled=yes protocol=tcp reject-with=icmp-net-prohibited src-address=192.168.88.235 tcp-flags=syn
add action=reject chain=forward connection-limit=15,32 disabled=yes protocol=tcp reject-with=icmp-network-unreachable src-address=192.168.88.241 tcp-flags=syn
add action=reject chain=forward connection-limit=15,32 disabled=yes protocol=tcp reject-with=icmp-net-prohibited src-address=192.168.88.21 tcp-flags=syn
add action=reject chain=forward connection-limit=15,32 disabled=yes protocol=tcp reject-with=icmp-network-unreachable src-address=192.168.88.223 tcp-flags=syn
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input dst-port=53 in-interface="ether5 wan" protocol=tcp
add action=drop chain=input dst-port=53 in-interface="ether5 wan" protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related,untracked disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=\
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip smb
set comment="Mikrotik hex SMB" enabled=yes
/ip traffic-flow ipfix
set nat-events=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="MikroTik Hex S"
/system logging
add disabled=yes topics=dns
/system note
set note="Lick lick lick my balls"
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1h name="connection clear" on-event=script1 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/19/2021 start-time=00:00:00
add interval=30m name="dns flush " on-event=script2 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/19/2021 start-time=08:07:40
/system script
add comment="Connection clear " dont-require-permissions=no name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":foreach i in=[/ip firewall connection find] do={/ip firewall connection remove \$i}"
add dont-require-permissions=no name=script2 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip dns cache flush"
add dont-require-permissions=no name=script3 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"ip firewall connection {:foreach i in [find src-address=\"192.168.88.235\"] do={remove \$i}}"
add dont-require-permissions=no name=script4 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/ip firewall connection remove [find where !seen-reply timeout>\"30s\" protocol=tcp src-address~\":443\"];"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox

Who is online

Users browsing this forum: baragoon, Bing [Bot], duartev, GoogleOther [Bot] and 92 guests