cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NEED SOME HELP?

We’re here 24/7. 365 days a year.
Ask questions. Find your answers. Connect.

ROUTER 5464 - 'DNS name resolution failure' error

Billx
Enlightened One
Private Message TalkTalk
Message 37 of 37

I've been receiving 'DNS name resolution failure' error in the log of the router for nearly a month now.

Many, many entries. This has been happening since 24/5/2023, when I had been upgraded from FTTC and an older router, to FTTH and the current router. I don't know whether this change is any part of the cause. There have been 868 entries so far. Many, many unknown domains are trying to get DNS from my local network through the router to the DNS server at TalkTalk, but blocked by the router. Weirdly, it includes 'assets.eero.com', 'pti.store.microsoft.com', and 'appdeum.talktalk.co.uk', but many others.

 

I list a sample:

20.06.2023 16:29:39 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 16:10:34 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 15:03:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:53:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:43:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:33:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:13:10 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:57:12 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:28:35 Error DNS DNS name resolution failure (pti.store.microsoft.com)
20.06.2023 13:22:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:12:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:02:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 12:13:09 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 10:32:07 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 10:27:53 Error DNS DNS name resolution failure (pti.store.microsoft.com)
20.06.2023 10:22:02 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)

 

I've checked some of these domains at an external website, but they can't get their IP address either.

 

I also post the whole list so far, as an attachment below.

 

What the hell is happening?

I think these large companies are getting out of hand.

 

0 Likes
36 REPLIES 36

KeithFrench
Community Star
Private Message TalkTalk
Message 1 of 37

That I can't answer, as it would depend on the lease time set by the software creating the UPnP rules. From what I have seen online some are 3-5 mins, however, some can set an indefinite lease.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Message 2 of 37

What I meant was, does a temporary one last 1 minute, 5 or 10 minutes?

 

Bill

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 3 of 37

All TalkTalk router firmware is idedependently tested by a security company before realease. Although there is the bug in it as I keep saying, there is no reason for you to use anything other than a firewall level of Medium, which does everything it is supposed to do. You have proved its protection via grc.com.

 

What is the difference between a permanent port forwarding rule & a temporary one, surely you don't need that explaining?

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Message 4 of 37

Hi, @KeithFrench 

 

Yes, I have been following your advice in disabling UPnP and WPS, that's not an issue for me.

I also understand that Windows firewall is providing additional protection, perhaps full protection.

The issue for me is working out what a firewall can do, in case I decide to use a different router.

One of the functions of a router, is to include a firewall within itself. It is essential that it be tested.

 

You say that UPnP allows any application to create a temporary port forwarding rule.

What's a temporary one, different from a normal forwarding rule?

 

Thanks.

 

Bill

 

0 Likes

Message 5 of 37

Hi, @Michelle-TalkTalk 

 

Thanks. I guess there's nothing much more for me to say.

 

Bill

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 6 of 37

Hi @Billx 

 

I see that @Michelle-TalkTalk has confirmed exactly what I have been trying to say for some time. The DNS entries are totally down to your devices. However, as I said there is the bug of their severity level being wrongly classified as Error when it should be Info. If this is fixed & a Save to PC button for the system log is added, then I can take things further.

 

Shields Up

There was no need to open all of the ports on the router's firewall at all. However, it did prove that even with them open, your PC was not detectable from the outside world. Please totally reset the firewall & put the firewall level back to Medium. I don't think you have any need for a level of Custom at all, although, as per my previous paragraph on the DNS entries, I have raised this as a bug because the custom rules have no effect. What is protecting your PC I will deal with further down this post.

 

DNS Query Sniffer

I have just tried the domain safebrowsing.googleapis.com and it resolves OK to 172.217.169.42. For some reason on your PC, it resolved OK once then there was no answer the next time. This is nothing to worry about.

 

What is protecting your PC

I have told you this before, but I will go into more detail now. Whether or not you are confused over the router's firewall, you are I would think you do not realise how much protection you have when your PC is connected to the router. Your PC is allocated an IP address from the router (most likely 192.168.1.X). This is a private IP address, unlike your router's WAN IP address which is a public one. It is impossible for anything on the internet to route an IP packet to a private IP address, they can only connect to public ones, like your router's public address. So they cannot connect to your PC even with the router's firewall on Medium.

 

There are only a few ways for the internet to connect to your PC and you, or malware etc have to allow them in. These are:-

  1. Putting your PC in the router's DMZ - this makes your PC very vulnerable.
  2. Configuring a Port Forwarding rule to allow certain TCP or UDP ports through from the router to the PC - you would only do this for very specialised circumstances, maybe to allow remote viewing of CCTV etc).
  3. UPnP - this is a way that an application (and particularly malware) to create a temporary port forwarding rule. 

Always disable UPnP and WPS they are both very insecure.

 

Then in the case of your PC, there is one other very big protection - the PC's own firewall in the form of Windows Defender.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Michelle-TalkTalk
Support Team
Staff
Private Message
Message 7 of 37

Morning,

 

The team have looked into these errors (in your first post) and advised that this is not an issue. They have advised that the device/applications in the home are trying to connect to domains that no longer exist. The error log is just saying that some device tried to connect to these domains, but these domains weren’t found in TalkTalk’s DNS. We can only assume that these domains did exist at some point previously for some application, but have since been removed.

 

Thanks


 

0 Likes

Message 8 of 37

Hi @KeithFrench 

 

Please Keith, when I tested 'Shields Up Utility', I opened all the ports in the router via Firewall and I also enabled uPnP, then invited Shields Up, and it wasn't able to come through into a single port. Why might this be so? What would have been protecting my local network?

 

On other hand, yesterday I went through a restart procedure of the router, setup a custom Firewall, closing all outgoing ports 1024-65535, closing HTTPS port, closing IMAPS and SMTP ports, closing outgoing DNS. And this has not affected my normal use of the PC, all these things are operating.

Why might this be so? Am I misinterpreting what a Firewall should do?

 

Billx_1-1688058874518.png

 

Billx_2-1688058921018.png

 

Weirdly also, I've only had 1 DNS resolution failure in the last 25 hours.

 

Thanks Keith,

 

Bill

 

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 9 of 37

You are behind a secure firewall, I explained this right at the very start. The only way that something on the internet can access any of your devices is via the router configuration:-

  1. port forwarding
  2. port triggering
  3. UPnP created port forwarding
  4. or a device in the DMZ

Unless of course you "invite" them in via virus or malware etc.

 

Just keep UPnP & WPS disabled, as they do present serious security vulnerabilities.

 

The difference between domain names & CNAMES, this can get complex, but here goes.

 

Your PC's browser wants to go to a website, let's call it mywebsite.com. A DNS query is sent to the DNS server asking for the IP address associated with mywebsite.com (assuming that there is no local record for it in your PC's DNS cache). The DNS server will return a DNS Response packet to the PC and in there will be an Answers field. This may contain just one IP address for the domain mywebsite.com, perhaps 141.142.143.144. If the site has multiple IP addresses associated with this doain record (due to load balancing & redundancy etc it might have say three addresses:-

 

141.142.143.144

141.142.143.145

158.157.156.154

 

A CNAME record is totally different this is an alias for the domain. The canonical name (CNAME) record is used in lieu of an A record (IPv4 address), when a domain or subdomain is an alias of another domain. This answer specifies the true domain name. The DNS server will then it will trigger another DNS lookup for the CNAME value and return its IP address:-

 

old.example.com. CNAME new.example.com.

new.example.com. A 192.162.100.101


Suppose blog.example.com has a CNAME record with a value of ‘example.com’ (without the ‘blog’). This means when a DNS server hits the DNS records for blog.example.com, it actually triggers another DNS lookup to example.com, returning example.com’s IP address via its A record.

 

In this case, example.com is the canonical name (or true name) of blog.example.com.



Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Message 10 of 37

Thanks, @KeithFrench 

 

I tried the 'Shields Up utility' several times, opening up everything in router Firewall. It tested all my ports and my enabled uPnP. It found that my local network including uPnp was behind a secure firewall, whereas it wasn't, because I had completely opened the firewall.

It reported everything as green, which means 'stealth' protection, whereas there was no 'stealth' protection that I am aware of.

 

In DNS Query Sniffer, what's the difference between 'Host Name'  and the domains appearing under 'CNAME'? They are completely different.

 

Thanks.

 

Bill

 

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 11 of 37

Hi @Billx 

 

Ah, you just mean MAC address filtering, that would block your phone.

 

The problem is really that without specialist expensive extra hardware you cannot detect all local traffic connected to your router at once. If you had this, then Wireshark would easily (for me I guess) identify which device was generating the potentially rogue DNS queries. The only way that can be done is to DNS Query Sniffer on each supported device, but what is still difficult to find out is which applications on a device may be responsible. Obviously, the browser & email clients could potentially be to blame. Maybe some other networked applications may as well. If it was malware, then who knows where they would be coming from?

 

I did try to point out in your other thread about the firewall, you don't need the level set to anything more than medium. Try going to the well-respected Gibson Research Corporation's website & running their Shields Up utility. This will check, amongst other things what devices it can see & if any, what ports are open on them. There is every likelihood that as your devices sit behind the router, they may not be detectable by the outside world at all.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Message 12 of 37

Hi @KeithFrench 

Under the 5G wireless setting, under which my 3 devices run, there is an access control tab to control any of the connected devices.

And I said, deny access to the named mobile phone.

 

I'm not sure it's the phone. I got some weird DNS entries again, about an hour ago. I think my wife used the laptop for about 30 mins.

That's a difficulty with some network tools, they don't show where the DNS request is coming from.

 

I've downloaded DNSQuerySniffer and it's running. It shows many DNS requests going through, a lot of them, as expected from Google and Microsoft. They are coloured green, so they are not DNS failures.

However, in the Custom Firewall, I've blocked my own device from every router port from 1024 to 65535. I've also blocked it from performing DNS on port 53. You know what? My settings have absolutely no effect. If the router can't even do that, what can  it do?

DNSQuerySniffer shows me that most ports being used are over 50000 i.e. not normal ports. It seems Google and Microsoft are given a free pass, perhaps other large companies. It seems that any programmer can choose any port now, and do their own thing.

 

Thanks Keith,

 

Bill

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 13 of 37

I am not sure how you filtered out in the router, but perhaps it is your phone then?

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Message 14 of 37

Hi, @KeithFrench 

Well, the main Windows 10 PC is protected with Microsoft Defender Anti-Virus. It always reports that it has not found anything. I don't think using another anti-virus app would achieve very much. The Windows 11 laptop has been shutdown all day. The Android phone has been connected today. I filtered the phone out in the router since about 4 PM. There has not been any 'DNS name resolution failures' since then.

I attach the most recent entries.

 

Bill

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 15 of 37

Hi @Billx 

 

Thinking about the sheer number of these messages (I get about 10 to 15 a day), are you sure that one of your devices is infected with malware or some virus?

 

It would be easy to prove which device it is, by turning them all off for say 5 mins, then turn them on one at a time. Check the timestamps on the logs to see which one is the culprit.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Message 16 of 37

Hello,

 

The Device Manager has contacted me and is currently looking at these error messages in the router now.

 

Thanks

 

Billx
Enlightened One
Private Message TalkTalk
Message 17 of 37

Since 2 days ago, when I reset the router to factory settings, I've had about 400 messages in the router's log, over 50% of these messages are 'DNS name resolution failure' messages.

I attach some new ones.

 

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 18 of 37

You could try Nirsoft's DNS Query Sniffer on your Windows PCs, it is pretty simple to understand:-

 

https://www.nirsoft.net/utils/dns_query_sniffer.htmlhttps://www.nirsoft.net/utils/dns_query_sniffer.... 

 

Yes I get loads of them.

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes

Message 19 of 37

Hi @KeithFrench 

 

On 3, I don't have a good understanding of the 7 layer model, so I'll give Wireshark a miss.

On 2, thanks for taking the time to explain what you are trying to do.

On 1, I fully agree.

By the the way,  you yourself are getting some of these 'DNS name resolution failure' messages, aren't you?

 

Bill

 

0 Likes

KeithFrench
Community Star
Private Message TalkTalk
Message 20 of 37

HI @Billx 

 

In response:-

 

  1. "Only if it has the lightest severity, right at the top, will you be able skip those entries, and see only the rest"  - that is the general idea, but only if the severity classification bug is fixed. Don't forget it will also filter out any other info classed messages, that might be of use.
  2. I don't know what a syslog server is. It is software that can run on a network-connected PC & is a central repository for syslog messages (system log) from the router. It often provides more scope for filtering than just on the severity classification. In a commercial environment, this would collate syslog messages from all routers, managed network switches, APs, gateways & other kit such as IP Telephone systems in one place. In a residential environment, these messages will mainly come from the router, but if there were numerous APs, mesh networks etc, it could be useful. With a mesh network though, these syslog messages from each node would be sent back to the gateway node & only that node would send them to the syslog server. However, most TalkTalk routers, such as the 5363 & 5464 do not have the facility to send their system log messages to a syslog server, so it can be irrelevant. Unless of course we get a "Save to PC" button added to the router, as per my request & then I may adapt the syslog server I wrote to be more of a syslog browser capable of both acting as a normal syslog server and importing a file previously saved from the router, so as that can have the same level of filtering as a a syslog server would.
  3. Wireshark. Do you have a very good understanding of the OSI 7 layer model & layer two frames, layaer three packets & layer four segments? If not, then forget Wireshark.

 

Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they? 

0 Likes