Get expert support with your Fibre connection.
on 17-06-2023 09:32 PM
I decided to look at the log pages of the router after it started to run very slow and difficult to log into. anyway i wanted to ask the forum if the following logs look right as they are shown as errors?
so firstly dns errors below is only one page of many with constant dns errors.
many hundreds more occurances besides the ones above but also before rebooting my router to see if i could get it working better i noticed that the upnp was trying to conect with hundreds of pages of logs with the following lines.
then hundreds of pages can be created like the following and can only be stopped by disabling the unpn button in the access control panel.
it continues to make these logs, page after page after page until i disable the upnp button located on the accesss control panel can someone clarify if this is anything to worry about. I dont have nothing on the system that requires upnp ? is this an error
on 21-06-2023 09:48 AM
With any of these domains that come up with errors, you can easily check them yourself. Copy them from the log & paste them into this website:-
https://toolbox.googleapps.com/apps/dig/
The _dns.resolver.arpa domain as you can see comes up with "no record found" and therefore matches the DNS server's system log entry:-
However, both example.com & www.example.com do resolve OK:-
It might be worth trying those two again.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
21-06-2023 09:14 AM - edited 21-06-2023 09:21 AM
Thank you keith for the continued support and see you are doing a lot of digging into my questions, i had to do a router reboot last night and sure enough 10 pages of the upnp info started logging untill i turned the upnp off manually!! I did use that dns sniffer and tried to match it to the logs unfortunately the only thing that showed up was wpad.lan and example.com and www.example.com which all came back as name errors in the response code.
on 20-06-2023 01:40 PM
The DNS entries about "_dns.resolver.arpa" are all part of encrypted DNS, often called DOH (DNS over HTTP). Whilst that has been around for a while now, these queries are part of a new addition to this called DDR or Discovery of Designated Resolvers. The DNS server in the router does not understand what this is about & cannot resolve the special "_dns.resolver.arpa" domain. Hence why it puts the entry in the system log. Apart from some network DNS servers such as Cloudfare, most local DNS servers probably do not understand them either. It is not a fault of the router, but a new not very widely adapted feature as yet.
Whilst you could spend a long time trying to track down the device in question & then reconfiguring to get it to work, my advice would be to simply forget it altogether & just put up with these entries in the log.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 20-06-2023 11:43 AM
I might be on to something, but I need to read up on it. I appreciate that you are not technical but "_dns.resolver.arpa" is used with Encrypted DNS. With web traffic being encrypted these days, about the only way an ISP or any other organisation can tell which websites are being visited is to look at the DNS queries which are sent unencrypted. There are gradual moves to encrypt the DNS packets, but some of this is experimental.
I would tend to think that this would have to come from a new or higher specification device in your home, maybe a Windows 11 PCs or Apple products etc, but that is just a guess.
One option you have is to just ignore them. Since disabling UPnP are you still getting those errors in the log?
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 20-06-2023 11:28 AM
One of the problems here is the DNS errors are wrongly classified within the system log. If you look at the Severity column, they should appear as Info, not Error as they do. Error is for serious problems with the router itself, whereas Info is, as you would expect, just information. If that was correct, then you would be able to filter them out from the display by simply changing the Severity dropdown to "Notice or lower".
The ones that I always see is for:-
mediaforce.grapeshot.co.uk
This sounds like it might be malware or similar, but it isn't, it is an out-of-date part of various newspaper websites. That took a bit of trouble even for me to find that out.
Looking into your DNS request:-
_dns.resolver.arpa
Does not get any matches so it does not return an IP address:-
I did try going to that site in my browser & it failed & guess what was in my system log then:-
Searching on this did come up with something suggesting it might be a new feature added to iPhones, but I can't confirm that.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 20-06-2023 10:56 AM
Good morning chris still trying to get to the bottom of the dns failures but as someone who isnt that tech savvy its not the easiest of tasks but will try to find out whats causing the errors from within my system?
on 19-06-2023 07:12 AM
Hi mockingbirdmedia,
I can see that Keith is helping you with this, how are you getting on?
Chris
Chris, Community Team
Our latest Blog l Share your Ideas l Service Status l Help with your Service l Community Stars l Set your preferences
on 18-06-2023 09:59 PM
Tracking down which device is generating the DNS requests is not very easy. A lot of these come from websites that link off to other websites and their web addresses still have to be resolved to IP addresses by that device. I had it recently where my system log was plagued with DNS requests for some site or other, that I did not recognise at all. I proved it to a Windows PC of mine, but it was only when I did a Google search that I found that this was caused by a newspaper's website that I visited. It was my home page, so that made it even worse.
Windows PCs can be easier than most to see if it is them that are making the request. One way is to use a small pice of freeware called "DNS Query Sniffer" from Nirsoft:-
https://www.nirsoft.net/utils/dns_query_sniffer.html
I use a piece of software called "Wireshark" myself, but unless you have a lot of networking knowledge, this is probably not the best to use.
If it is that PC, you still have to find out which application (may not be your browser or email client) is generating these requests. Even worse it could be down to some malware.
Probably the easiest way with other devices is to first make sure that the system clock on the router is correct. Then make a note of which devices have access to the router at a particular time. Even better, when doing this ensure every other device is physically turned off. Then compare all of this to the router's system log.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
18-06-2023 07:19 PM - edited 18-06-2023 07:23 PM
Cheers keith much appreciated for your response upnp is switched off and have to do it straight away after a router reset or the pages of logs simply go mad. As for the dns issues lots of logs are during the night. i only have one ting running at night but doesnt tie in with any of the logs ? Is there a way i can link the dns failures to one deice? May i also ask is the use of port forwarding safe to use?
on 18-06-2023 11:48 AM
The DNS server in the router puts these entries in the system log when it can't resolve any DNS requests. These are requests that are made by one or more of your devices, not the router. You will need to try and find which devices are doing this.
UPnP should be disabled as it is a security risk. This can be done from within the router's Ui by going to Access Control & Port Forwarding. It is at the top of that page.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?