We’re here 24/7. 365 days a year.
Ask questions. Find your answers. Connect.
20-06-2023 11:57 PM - edited 21-06-2023 12:28 AM
I've been receiving 'DNS name resolution failure' error in the log of the router for nearly a month now.
Many, many entries. This has been happening since 24/5/2023, when I had been upgraded from FTTC and an older router, to FTTH and the current router. I don't know whether this change is any part of the cause. There have been 868 entries so far. Many, many unknown domains are trying to get DNS from my local network through the router to the DNS server at TalkTalk, but blocked by the router. Weirdly, it includes 'assets.eero.com', 'pti.store.microsoft.com', and 'appdeum.talktalk.co.uk', but many others.
I list a sample:
20.06.2023 16:29:39 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 16:10:34 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 15:03:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:53:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:43:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:33:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 14:13:10 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:57:12 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:28:35 Error DNS DNS name resolution failure (pti.store.microsoft.com)
20.06.2023 13:22:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:12:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 13:02:03 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 12:13:09 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 10:32:07 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
20.06.2023 10:27:53 Error DNS DNS name resolution failure (pti.store.microsoft.com)
20.06.2023 10:22:02 Error DNS DNS name resolution failure (moa-upload-eu.allawnos.com)
I've checked some of these domains at an external website, but they can't get their IP address either.
I also post the whole list so far, as an attachment below.
What the hell is happening?
I think these large companies are getting out of hand.
on 30-06-2023 10:04 PM
That I can't answer, as it would depend on the lease time set by the software creating the UPnP rules. From what I have seen online some are 3-5 mins, however, some can set an indefinite lease.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 30-06-2023 04:33 PM
What I meant was, does a temporary one last 1 minute, 5 or 10 minutes?
Bill
on 30-06-2023 10:53 AM
All TalkTalk router firmware is idedependently tested by a security company before realease. Although there is the bug in it as I keep saying, there is no reason for you to use anything other than a firewall level of Medium, which does everything it is supposed to do. You have proved its protection via grc.com.
What is the difference between a permanent port forwarding rule & a temporary one, surely you don't need that explaining?
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 30-06-2023 10:45 AM
Hi, @KeithFrench
Yes, I have been following your advice in disabling UPnP and WPS, that's not an issue for me.
I also understand that Windows firewall is providing additional protection, perhaps full protection.
The issue for me is working out what a firewall can do, in case I decide to use a different router.
One of the functions of a router, is to include a firewall within itself. It is essential that it be tested.
You say that UPnP allows any application to create a temporary port forwarding rule.
What's a temporary one, different from a normal forwarding rule?
Thanks.
Bill
on 30-06-2023 10:00 AM
on 30-06-2023 10:00 AM
Hi @Billx
I see that @Michelle-TalkTalk has confirmed exactly what I have been trying to say for some time. The DNS entries are totally down to your devices. However, as I said there is the bug of their severity level being wrongly classified as Error when it should be Info. If this is fixed & a Save to PC button for the system log is added, then I can take things further.
Shields Up
There was no need to open all of the ports on the router's firewall at all. However, it did prove that even with them open, your PC was not detectable from the outside world. Please totally reset the firewall & put the firewall level back to Medium. I don't think you have any need for a level of Custom at all, although, as per my previous paragraph on the DNS entries, I have raised this as a bug because the custom rules have no effect. What is protecting your PC I will deal with further down this post.
DNS Query Sniffer
I have just tried the domain safebrowsing.googleapis.com and it resolves OK to 172.217.169.42. For some reason on your PC, it resolved OK once then there was no answer the next time. This is nothing to worry about.
What is protecting your PC
I have told you this before, but I will go into more detail now. Whether or not you are confused over the router's firewall, you are I would think you do not realise how much protection you have when your PC is connected to the router. Your PC is allocated an IP address from the router (most likely 192.168.1.X). This is a private IP address, unlike your router's WAN IP address which is a public one. It is impossible for anything on the internet to route an IP packet to a private IP address, they can only connect to public ones, like your router's public address. So they cannot connect to your PC even with the router's firewall on Medium.
There are only a few ways for the internet to connect to your PC and you, or malware etc have to allow them in. These are:-
Always disable UPnP and WPS they are both very insecure.
Then in the case of your PC, there is one other very big protection - the PC's own firewall in the form of Windows Defender.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 30-06-2023 07:28 AM
Morning,
The team have looked into these errors (in your first post) and advised that this is not an issue. They have advised that the device/applications in the home are trying to connect to domains that no longer exist. The error log is just saying that some device tried to connect to these domains, but these domains weren’t found in TalkTalk’s DNS. We can only assume that these domains did exist at some point previously for some application, but have since been removed.
Thanks
on 29-06-2023 06:25 PM
Hi @KeithFrench
Please Keith, when I tested 'Shields Up Utility', I opened all the ports in the router via Firewall and I also enabled uPnP, then invited Shields Up, and it wasn't able to come through into a single port. Why might this be so? What would have been protecting my local network?
On other hand, yesterday I went through a restart procedure of the router, setup a custom Firewall, closing all outgoing ports 1024-65535, closing HTTPS port, closing IMAPS and SMTP ports, closing outgoing DNS. And this has not affected my normal use of the PC, all these things are operating.
Why might this be so? Am I misinterpreting what a Firewall should do?
Weirdly also, I've only had 1 DNS resolution failure in the last 25 hours.
Thanks Keith,
Bill
on 28-06-2023 03:44 PM
You are behind a secure firewall, I explained this right at the very start. The only way that something on the internet can access any of your devices is via the router configuration:-
Unless of course you "invite" them in via virus or malware etc.
Just keep UPnP & WPS disabled, as they do present serious security vulnerabilities.
The difference between domain names & CNAMES, this can get complex, but here goes.
Your PC's browser wants to go to a website, let's call it mywebsite.com. A DNS query is sent to the DNS server asking for the IP address associated with mywebsite.com (assuming that there is no local record for it in your PC's DNS cache). The DNS server will return a DNS Response packet to the PC and in there will be an Answers field. This may contain just one IP address for the domain mywebsite.com, perhaps 141.142.143.144. If the site has multiple IP addresses associated with this doain record (due to load balancing & redundancy etc it might have say three addresses:-
141.142.143.144
141.142.143.145
158.157.156.154
A CNAME record is totally different this is an alias for the domain. The canonical name (CNAME) record is used in lieu of an A record (IPv4 address), when a domain or subdomain is an alias of another domain. This answer specifies the true domain name. The DNS server will then it will trigger another DNS lookup for the CNAME value and return its IP address:-
old.example.com. CNAME new.example.com.
new.example.com. A 192.162.100.101
Suppose blog.example.com has a CNAME record with a value of ‘example.com’ (without the ‘blog’). This means when a DNS server hits the DNS records for blog.example.com, it actually triggers another DNS lookup to example.com, returning example.com’s IP address via its A record.
In this case, example.com is the canonical name (or true name) of blog.example.com.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
28-06-2023 03:19 PM - edited 28-06-2023 03:25 PM
Thanks, @KeithFrench
I tried the 'Shields Up utility' several times, opening up everything in router Firewall. It tested all my ports and my enabled uPnP. It found that my local network including uPnp was behind a secure firewall, whereas it wasn't, because I had completely opened the firewall.
It reported everything as green, which means 'stealth' protection, whereas there was no 'stealth' protection that I am aware of.
In DNS Query Sniffer, what's the difference between 'Host Name' and the domains appearing under 'CNAME'? They are completely different.
Thanks.
Bill
on 28-06-2023 01:22 PM
Hi @Billx
Ah, you just mean MAC address filtering, that would block your phone.
The problem is really that without specialist expensive extra hardware you cannot detect all local traffic connected to your router at once. If you had this, then Wireshark would easily (for me I guess) identify which device was generating the potentially rogue DNS queries. The only way that can be done is to DNS Query Sniffer on each supported device, but what is still difficult to find out is which applications on a device may be responsible. Obviously, the browser & email clients could potentially be to blame. Maybe some other networked applications may as well. If it was malware, then who knows where they would be coming from?
I did try to point out in your other thread about the firewall, you don't need the level set to anything more than medium. Try going to the well-respected Gibson Research Corporation's website & running their Shields Up utility. This will check, amongst other things what devices it can see & if any, what ports are open on them. There is every likelihood that as your devices sit behind the router, they may not be detectable by the outside world at all.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
28-06-2023 01:05 PM - edited 28-06-2023 01:21 PM
Hi @KeithFrench
Under the 5G wireless setting, under which my 3 devices run, there is an access control tab to control any of the connected devices.
And I said, deny access to the named mobile phone.
I'm not sure it's the phone. I got some weird DNS entries again, about an hour ago. I think my wife used the laptop for about 30 mins.
That's a difficulty with some network tools, they don't show where the DNS request is coming from.
I've downloaded DNSQuerySniffer and it's running. It shows many DNS requests going through, a lot of them, as expected from Google and Microsoft. They are coloured green, so they are not DNS failures.
However, in the Custom Firewall, I've blocked my own device from every router port from 1024 to 65535. I've also blocked it from performing DNS on port 53. You know what? My settings have absolutely no effect. If the router can't even do that, what can it do?
DNSQuerySniffer shows me that most ports being used are over 50000 i.e. not normal ports. It seems Google and Microsoft are given a free pass, perhaps other large companies. It seems that any programmer can choose any port now, and do their own thing.
Thanks Keith,
Bill
on 27-06-2023 09:46 PM
I am not sure how you filtered out in the router, but perhaps it is your phone then?
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 27-06-2023 05:55 PM
Hi, @KeithFrench
Well, the main Windows 10 PC is protected with Microsoft Defender Anti-Virus. It always reports that it has not found anything. I don't think using another anti-virus app would achieve very much. The Windows 11 laptop has been shutdown all day. The Android phone has been connected today. I filtered the phone out in the router since about 4 PM. There has not been any 'DNS name resolution failures' since then.
I attach the most recent entries.
Bill
on 27-06-2023 02:49 PM
Hi @Billx
Thinking about the sheer number of these messages (I get about 10 to 15 a day), are you sure that one of your devices is infected with malware or some virus?
It would be easy to prove which device it is, by turning them all off for say 5 mins, then turn them on one at a time. Check the timestamps on the logs to see which one is the culprit.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
on 27-06-2023 01:17 PM
Hello,
The Device Manager has contacted me and is currently looking at these error messages in the router now.
Thanks
on 27-06-2023 01:03 PM
Since 2 days ago, when I reset the router to factory settings, I've had about 400 messages in the router's log, over 50% of these messages are 'DNS name resolution failure' messages.
I attach some new ones.
on 27-06-2023 12:51 PM
You could try Nirsoft's DNS Query Sniffer on your Windows PCs, it is pretty simple to understand:-
Yes I get loads of them.
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?
27-06-2023 12:36 PM - edited 27-06-2023 12:42 PM
Hi @KeithFrench
On 3, I don't have a good understanding of the 7 layer model, so I'll give Wireshark a miss.
On 2, thanks for taking the time to explain what you are trying to do.
On 1, I fully agree.
By the the way, you yourself are getting some of these 'DNS name resolution failure' messages, aren't you?
Bill
on 27-06-2023 11:10 AM
HI @Billx
In response:-
Keith
I am not employed by TalkTalk, I'm just a customer. If my post has fixed the issue, please set Accept as Solution from the 3 dot menu.
TalkTalk support and Community Stars - Who are they?