We’re here 24/7. 365 days a year.
Ask questions. Find your answers. Connect.
20-06-2023 11:57 PM - edited 21-06-2023 12:28 AM
I've been receiving 'DNS name resolution failure' error in the log of the router for nearly a month now.
Many, many entries. This has been happening since 24/5/2023, when I had been upgraded from FTTC and an older router, to FTTH and the current router. I don't know whether this change is any part of the cause. There have been 868 entries so far. Many, many unknown domains are trying to get DNS from my local network through the router to the DNS server at TalkTalk, but blocked by the router. Weirdly, it includes 'assets.eero.com', 'pti.store.microsoft.com', and 'appdeum.talktalk.co.uk', but many others.
I list a sample:
20.06.2023 16:29:39 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 16:10:34 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 15:03:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:53:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:43:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:33:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:13:10 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:57:12 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:28:35 Error DNS DNS name resolution failure (pti.store.microsoft.com)
20.06.2023 13:22:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:12:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:02:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 12:13:09 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 10:32:07 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 10:27:53 Error DNS DNS name resolution failure (pti.store.microsoft.com)
20.06.2023 10:22:02 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
I've checked some of these domains at an external website, but they can't get their IP address either.
I also post the whole list so far, as an attachment below.
What the hell is happening?
I think these large companies are getting out of hand.
26-06-2023 10:51 PM - edited 26-06-2023 10:52 PM
Hi @KeithFrench
"Only if it has the lightest severity, right at the top, will you be able skip those entries, and see only the rest"
But that was your intention, wasn't it? To choose a particular setting on the drop-down menu, so you don't see the 'DNS name resolution failure' entries, but see only the remaining entries, whatever their category or label. That's what I thought you meant. I still don't understand what different from that, you mean.
My main device is a Windows 10 PC, which is used quite a bit. There is also a Windows 11 laptop, and a cheap Android phone connected, but these are not used much.
I don't know what a syslog server is. Is it a separate machine, or is it installed on your PC?
I know you've mentioned Wireshark before, but I don't know what it is yet.
Thanks Keith
Bill
on 26-06-2023 04:18 PM
I have now amended by bug report on these system log messages & their severity classification. I have stated that these messages are swamping the system log & have requested a "Save to PC" facility be added to the system log page.
Then when I see the file format they use, hopefully CSV, but most syslog servers that offer this facility only use text files. Either way, when I know the format, I'll write an application to edit out the DNS resolution errors (or anything else). Then automatically save the edited file in CSV format. Alternatively, I might use the file from the router & import it straight into a syslog server application I wrote a few years ago, if that will provide better customisation options to make the rest of the log easier to navigate.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 26-06-2023 10:43 AM
Hi @Billx
Where in my posts did I ever say that changing the Severity drop down would stop the DNS resolution failure log messages from getting in the log?
You said:-
"Only if it has the lightest severity, right at the top, will you be able skip those entries, and see only the rest" - do you read my any of my posts? That is exactly whatI have been saying that only if the Severity classification in both the 5364 & 5464 DNS resolution failure messages were changed from Error to Info, could they be filtered out.
All that will do anyway is to stop them from being displayed. Even then that would also filter out any other Info messages that might be desirable to view. Your suggestion of setting the severity filter to "Critical or lower" will in 99.9% of messages, display nothing at all, so that will be of no use.
The only way is for Sagemcom to fix the bug I raised to TalkTalk, where the DNS messages are wrongly classified as "Error".
Whilst the messages conform to the industry standard syslog format, it is down to the manufacturer as to what events that they choose to write to this log.
I have campaigned to get a "Save to PC" option, "Output to a syslog server" & a "Clear log" button to be added to most TalkTalk routers. However, I have been told in the past that they were not part of the design requirements. If the GUI at least had a "Save to PC" option, then I could write an application to strip out all of the DNS resolution failure entries.
There is no point keep attaching these logs of yours, I can't possibly know what devices of yours are making these DNS queries, so I do not look at them. All you can do is to try using the Nirsoft's "DNS Query Sniffer" or if you have the skills required, you could use Wireshark. By running Wireshark on a couple of PCs I was able to locate my device and the offending website. These are not going to help though if the operating system on all of your devices does not support Wireshark (there are versions for Windows & Linux, I am not sure about MACoS), DNS Query Sniffer is Windows only.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 26-06-2023 07:12 AM
Morning,
Just an update to advise that I'm still waiting to hear back but I'm hoping it will be at some point today.
Thanks
26-06-2023 12:16 AM - edited 26-06-2023 12:20 AM
Changing the category won't stop them getting into the log. If you choose 'critical or lower', then they won't appear, but also none of the others will appear'. And, if it has a label different from 'Error', it won't make any difference. Only if it has the lightest severity, right at the top, will you be able skip those entries, and see only the rest. But that doesn't make much difference either, because it will still clog the router's memory. Today I've had to reset/restart the router, which deletes the old entries. But now late in the day, I have a ton of those entries again. As far as identifying which websites are involved, that's almost impossible. I have identified microsoft.com, speedtest.com, even talktalk.co.uk.
But, as I said, I haven't got a clue who 'moa-upload-eu.allawnos.com' are.
I attach the culprits in the file below.
You see, them having no IP addresses, has allowed us to see who the culprits are.
Bill
on 25-06-2023 10:33 PM
Hi @Billx
Of course I read that, just because Sagemcom log these failures, doesn't mean all routers do. The fact that the router's DNS server logs these entries is not a bug. The problem as I said before is the fact that the router's DNS server wrongly sets its severity level in the system log to "Error" as I said in my previous post. This means that you cannot filter them out. If they were set to "Informational", then it would be a breeze to hide them via the Severity dropdown box in the UI. You would just set it to "Notice or lower":-
However, as I also said in my previous post, I have already raised this severity level problem as a bu with TalkTalk
I get a lot to "mediaforce.grapeshot.co.uk", which sounds like malware, but it isn't. It is part of several newspaper websites, that required my PC to resolve this, but it fails as there is no such site. The only way to stop them is to not use their websites!
You need to find which device is generating these DNS requests & investigate them further. Mine was more involved as that one got a CNAME back which is an alias to another site, or maybe a third one & only then did I find the culprit.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
25-06-2023 10:11 PM - edited 25-06-2023 10:15 PM
Hi @KeithFrench,
Did you read my opening post? None of this type of reporting was done when I was using my previous router. There were nearly 900 entries in under a month. That's extravagant. Something is going wrong. It includes 'assets.eero.com', 'pti.store.microsoft.com', other microsoft.com addresses, 'appdeum.talktalk.co.uk, and various 'speedtest.com' addresses. Even talktalk.co.uk is there. Have at a look at my attached file in my first post and particularly speedtest.com with their many weird addresses. This is attempted high-octane monitoring. I only know this now because they now have no ip addresses allocated.
As far as filtering them out from the router's GUI, I'm not aware of any filtering in 'Maintenance'>Logs. These entries are filling my log sheet at an alarming rate.
Oh, 'moa-upload-eu.allawnos.com' is also a big offender. I've never heard of them in my life.
Bill
on 25-06-2023 04:32 PM
HI @Billx
Your other thread has dealt with so many issues, but I don't think that this was mentioned there. That is the way it should be anyway, one thread per problem is always best.
The DNS server within your 5464 router logs any domain names that it cannot resolve by making recursive DNS queries up the DNS server hierarchy. This part of your opening post is normal behaviour, not a bug.
However, there is a bug in the severity level assigned to these messages. If you look at the severity column, they are classed as "Error". That is the highest severity reserved for serious problems within the router itself. These unresolved DNS queries should have a severity level of Info, not Error, as that is exactly what they are. Your devices or websites that link on to other sites that are requiring your device to visit an element of their web page that is not up to date. If they are correctly classified as informational, as they should be, then you can easily filter them out from the router's GUI if required.
I have already reported this bug to TalkTalk.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 23-06-2023 03:50 PM
on 23-06-2023 06:44 AM
Morning,
I've passed this over to our Devices Team now and I will post back as soon as I know more.
Thanks
on 22-06-2023 06:00 PM
It's probably my main PC, it doesn't show in the router log. Other devices, are hardly used.
If you go to 'https://whois.domaintools.com/allawnos.com', you will see some information on the 'allawnos.com' domain, but most of the information is blanked out with the phrase 'REDACTED FOR PRIVACY'. The name 'allawnos.com' does not trigger any browsing that I've done.
Thanks @Chris-TalkTalk
on 22-06-2023 08:00 AM
OK thanks for trying. Do you know which of your devices is trying to connect to moa-upload-eu.allawnos.com?
Chris
Chris, Community Team
Our latest Blog l Share your Ideas l Service Status l Help with your Service l Community Stars l Set your preferences
21-06-2023 03:09 PM - edited 21-06-2023 03:09 PM
Yes, I switched both off for 30 minutes, but there is no change.
I attach a new file with the new entries in the last hours, which includes entries after the restart.
Thanks, @Chris-TalkTalk
on 21-06-2023 12:45 PM
OK thanks, please let us know how you get on
Chris
Chris, Community Team
Our latest Blog l Share your Ideas l Service Status l Help with your Service l Community Stars l Set your preferences
on 21-06-2023 12:01 PM
Hi @Chris-TalkTalk , I think I've tried that a couple of times, perhaps I'll give it another shot.
Can you investigate 'moa-upload-eu.allawnos.com', it seems to be the biggest offender.
I've looked at a 'whois' site, and nearly all the entries in the page presented, are marked as 'REDACTED FOR PRIVACY'.
Somehow the site, seems to be protected.
Thanks.
on 21-06-2023 08:42 AM
Hi Billx,
Could you try switching the ONT and router off for 30 minutes then switch back on and monitor to see if the DNS error continue
Chris
Chris, Community Team
Our latest Blog l Share your Ideas l Service Status l Help with your Service l Community Stars l Set your preferences