cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NEED SOME HELP?

We’re here 24/7. 365 days a year.
Ask questions. Find your answers. Connect.

ROUTER 5464 - 'DNS name resolution failure' error

Billx
Super Duper Contributor
Private Message TalkTalk
Message 37 of 37

I've been receiving 'DNS name resolution failure' error in the log of the router for nearly a month now.

Many, many entries. This has been happening since 24/5/2023, when I had been upgraded from FTTC and an older router, to FTTH and the current router. I don't know whether this change is any part of the cause. There have been 868 entries so far. Many, many unknown domains are trying to get DNS from my local network through the router to the DNS server at TalkTalk, but blocked by the router. Weirdly, it includes 'assets.eero.com', 'pti.store.microsoft.com', and 'appdeum.talktalk.co.uk', but many others.

 

I list a sample:

20.06.2023 16:29:39 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 16:10:34 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 15:03:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:53:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:43:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:33:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:13:10 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:57:12 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:28:35 Error DNS DNS name resolution failure (pti.store.microsoft.com)
20.06.2023 13:22:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:12:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:02:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 12:13:09 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 10:32:07 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 10:27:53 Error DNS DNS name resolution failure (pti.store.microsoft.com)
20.06.2023 10:22:02 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)

 

I've checked some of these domains at an external website, but they can't get their IP address either.

 

I also post the whole list so far, as an attachment below.

 

What the hell is happening?

I think these large companies are getting out of hand.

 

0 Likes
36 REPLIES 36

Billx
Super Duper Contributor
Private Message TalkTalk
Message 21 of 37

Hi @KeithFrench

 

"Only if it has the lightest severity, right at the top, will you be able skip those entries, and see only the rest

But that was your intention, wasn't it? To choose a particular setting on the drop-down menu, so you don't see the 'DNS name resolution failure' entries, but see only the remaining entries, whatever their category or label. That's what I thought you meant. I still don't understand what different from that, you mean.

 

My main device is a Windows 10 PC, which is used quite a bit. There is also a Windows 11 laptop, and a cheap Android phone connected, but these are not used much.

 

I don't know what a syslog server is. Is it a separate machine, or is it installed on your PC?

I know you've mentioned Wireshark before, but I don't know what it is yet.

 

Thanks Keith

 

Bill

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 22 of 37

 @Billx 

 

I have now amended by bug report on these system log messages & their severity classification. I have stated that these messages are swamping the system log & have requested a "Save to PC" facility be added to the system log page.

 

Then when I see the file format they use, hopefully CSV, but most syslog servers that offer this facility only use text files. Either way, when I know the format, I'll write an application to edit out the DNS resolution errors (or anything else). Then automatically save the edited file in CSV format. Alternatively, I might use the file from the router & import it straight into a syslog server application I wrote a few years ago, if that will provide better customisation options to make the rest of the log easier to navigate.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 23 of 37

Hi @Billx 

 

Where in my posts did I ever say that changing the Severity drop down would stop the DNS resolution failure log messages from getting in the log?

 

You said:-

 

"Only if it has the lightest severity, right at the top, will you be able skip those entries, and see only the rest" - do you read my any of my posts? That is exactly whatI have been saying that only if the Severity classification in both the 5364 & 5464 DNS resolution failure messages were changed from Error to Info, could they be filtered out.

 

All that will do anyway is to stop them from being displayed. Even then that would also filter out any other Info messages that might be desirable to view. Your suggestion of setting the severity filter to "Critical or lower" will in 99.9% of messages, display nothing at all, so that will be of no use.

 

The only way is for Sagemcom to fix the bug I raised to TalkTalk, where the DNS messages are wrongly classified as "Error".

 

Whilst the messages conform to the industry standard syslog format, it is down to the manufacturer as to what events that they choose to write to this log. 

 

I have campaigned to get a "Save to PC" option, "Output to a syslog server" & a "Clear log" button to be added to most TalkTalk routers. However, I have been told in the past that they were not part of the design requirements. If the GUI at least had a "Save to PC" option, then I could write an application to strip out all of the DNS resolution failure entries. 

 

There is no point keep attaching these logs of yours, I can't possibly know what devices of yours are making these DNS queries, so I do not look at them. All you can do is to try using the Nirsoft's "DNS Query Sniffer" or if you have the skills required, you could use Wireshark. By running Wireshark on a couple of PCs I was able to locate my device and the offending website. These are not going to help though if the operating system on all of your devices does not support Wireshark (there are versions for Windows & Linux, I am not sure about MACoS), DNS Query Sniffer is Windows only.

 

 

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Message 24 of 37

Morning,

 

Just an update to advise that I'm still waiting to hear back but I'm hoping it will be at some point today.

 

Thanks

 

0 Likes

Billx
Super Duper Contributor
Private Message TalkTalk
Message 25 of 37

@KeithFrench 

 

Changing the category won't stop them getting into the log. If you choose 'critical or lower', then they won't appear, but also none of the others will appear'. And, if it has a label different from 'Error', it won't make any difference. Only if it has the lightest severity, right at the top, will you be able skip those entries, and see only the rest. But that doesn't make much difference either, because it will still clog the router's memory. Today I've had to reset/restart the router, which deletes the old entries. But now late in the day, I have a ton of those entries again. As far as identifying which websites are involved, that's almost impossible. I have identified microsoft.com, speedtest.com, even talktalk.co.uk.

But, as I said, I haven't got a clue who 'moa-upload-eu.allawnos.com' are.

I attach the culprits in the file below.

You see, them having no IP addresses, has allowed us to see who the culprits are.

 

Bill

 

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 26 of 37

Hi @Billx 

 

Of course I read that, just because Sagemcom log these failures, doesn't mean all routers do. The fact that the router's DNS server logs these entries is not a bug. The problem as I said before is the fact that the router's DNS server wrongly sets its severity level in the system log to "Error" as I said in my previous post. This means that you cannot filter them out. If they were set to "Informational", then it would be a breeze to hide them via the Severity dropdown box in the UI. You would just set it to "Notice or lower":-

 

Severity filteringSeverity filtering

 

However, as I also said in my previous post, I have already raised this severity level problem as a bu with TalkTalk

 

I get a lot to "mediaforce.grapeshot.co.uk", which sounds like malware, but it isn't. It is part of several newspaper websites, that required my PC to resolve this, but it fails as there is no such site. The only way to stop them is to not use their websites!

 

You need to find which device is generating these DNS requests & investigate them further. Mine was more involved as that one got a CNAME back which is an alias to another site, or maybe a third one & only then did I find the culprit.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Billx
Super Duper Contributor
Private Message TalkTalk
Message 27 of 37

Hi @KeithFrench,

Did you read my opening post? None of this type of reporting was done when I was using my previous router. There were nearly 900 entries in under a month. That's extravagant. Something is going wrong. It includes 'assets.eero.com', 'pti.store.microsoft.com', other microsoft.com addresses,  'appdeum.talktalk.co.uk, and various 'speedtest.com' addresses. Even talktalk.co.uk is there. Have at a look at my attached file in my first post and particularly speedtest.com with their many weird addresses. This is attempted high-octane monitoring. I only know this now because they now have no ip addresses allocated.

 

As far as  filtering them out from the router's GUI, I'm not aware of any filtering in 'Maintenance'>Logs. These entries are filling my log sheet at an alarming rate.

Oh, 'moa-upload-eu.allawnos.com' is also a big offender. I've never heard of them in my life.

 

Bill

 

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 28 of 37

HI @Billx 

 

Your other thread has dealt with so many issues, but I don't think that this was mentioned there. That is the way it should be anyway, one thread per problem is always best. 

 

The DNS server within your 5464 router logs any domain names that it cannot resolve by making recursive DNS queries up the DNS server hierarchy. This part of your opening post is normal behaviour, not a bug.

 

However, there is a bug in the severity level assigned to these messages. If you look at the severity column, they are classed as "Error". That is the highest severity reserved for serious problems within the router itself. These unresolved DNS queries should have a severity level of Info, not Error, as that is exactly what they are. Your devices or websites that link on to other sites that are requiring your device to visit an element of their web page that is not up to date. If they are correctly classified as informational, as they should be, then you can easily filter them out from the router's GUI if required.

 

I have already reported this bug to TalkTalk.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Billx
Super Duper Contributor
Private Message TalkTalk
Message 29 of 37

Very good, @Michelle-TalkTalk 

In the meantime I attach todays log.

 

Bill

0 Likes

Message 30 of 37

Morning,

 

I've passed this over to our Devices Team now and I will post back as soon as I know more.

 

Thanks

 

 

Billx
Super Duper Contributor
Private Message TalkTalk
Message 31 of 37

It's probably my main PC, it doesn't show in the router log. Other devices, are hardly used.

If you go to 'https://whois.domaintools.com/allawnos.com', you will see some information on the 'allawnos.com' domain, but most of the information is blanked out with the phrase 'REDACTED FOR PRIVACY'. The name 'allawnos.com' does not trigger any browsing that I've done.

Thanks @Chris-TalkTalk

 

0 Likes

Chris-TalkTalk
Support Team
Staff
Private Message
Message 32 of 37

OK thanks for trying. Do you know which of your devices is trying to connect to moa-upload-eu.allawnos.com?

 

Chris

0 Likes

Billx
Super Duper Contributor
Private Message TalkTalk
Message 33 of 37

Yes, I switched both off for 30 minutes, but there is no change.

I attach a new file with the new entries in the last hours, which includes entries after the restart.

Thanks, @Chris-TalkTalk 

0 Likes

Message 34 of 37

OK thanks, please let us know how you get on


Chris

0 Likes

Billx
Super Duper Contributor
Private Message TalkTalk
Message 35 of 37

Hi @Chris-TalkTalk , I think I've tried that a couple of times, perhaps I'll give it another shot.

Can you investigate 'moa-upload-eu.allawnos.com', it seems to be the biggest offender.

I've looked at a 'whois' site, and nearly all the entries in the page presented, are marked as 'REDACTED FOR PRIVACY'.

Somehow the site, seems to be protected.

Thanks.

0 Likes

Chris-TalkTalk
Support Team
Staff
Private Message
Message 36 of 37

Hi Billx,

 

Could you try switching the ONT and router off for 30 minutes then switch back on and monitor to see if the DNS error continue


Chris

0 Likes