I'm seeing a lot of shady looking A & AAAA requests from my router for the past ~3 weeks and I'm stumped on how to figured out what is ultimately causing it and what I can do about it.
I see the requests because I'm running a dns server the router uses as its primary name server. The A & AAAA record request coincide with the router reporting a slew of dropped packets, and I'm not sure why they're related.
Questions:
Are the dropped packets and the record request related? If they are, why?
How do I stop the flurry of requests from the router?
Router: Asus RT-N66U (stock OS, latest firmware, rebooted nightly)
DNS server: pi-hole running on a raspberry pi 3
A & AAAA records requested for these domains:
Graph of requests that appear to originate from the router and are blocked by the dns server:
Some of the logs from the dns server:
192.168.1.1 = router
Code:
*** [ DIAGNOSING ]: Pi-hole log
-rw-r--r-- 1 pihole pihole 2190741 Dec 18 06:53 /var/log/pihole.log
-----head of pihole.log------
Dec 18 00:00:06 dnsmasq[844]: query[A] api.sexyun.net from 192.168.1.1
Dec 18 00:00:06 dnsmasq[844]: cached api.sexyun.net is 8.8.8.8
Dec 18 00:00:06 dnsmasq[844]: query[AAAA] api.sexyun.net from 192.168.1.1
Dec 18 00:00:06 dnsmasq[844]: cached api.sexyun.net is NODATA-IPv6
Dec 18 00:00:16 dnsmasq[844]: query[A] api.sexyun.net from 192.168.1.1
Dec 18 00:00:16 dnsmasq[844]: cached api.sexyun.net is 8.8.8.8
Dec 18 00:00:16 dnsmasq[844]: query[AAAA] api.sexyun.net from 192.168.1.1
Dec 18 00:00:16 dnsmasq[844]: cached api.sexyun.net is NODATA-IPv6
Dec 18 00:00:26 dnsmasq[844]: query[A] api.sexyun.net from 192.168.1.1
Dec 18 00:00:26 dnsmasq[844]: cached api.sexyun.net is 8.8.8.8
Dec 18 00:00:26 dnsmasq[844]: query[AAAA] api.sexyun.net from 192.168.1.1
Dec 18 00:00:26 dnsmasq[844]: cached api.sexyun.net is NODATA-IPv6
Dec 18 00:00:27 dnsmasq[844]: query[A] ocsp.digicert.com from 192.168.1.1
Dec 18 00:00:27 dnsmasq[844]: forwarded ocsp.digicert.com to 1.1.1.1
Dec 18 00:00:36 dnsmasq[844]: query[A] api.sexyun.net from 192.168.1.1
Dec 18 00:00:36 dnsmasq[844]: cached api.sexyun.net is 8.8.8.8
Dec 18 00:00:36 dnsmasq[844]: query[AAAA] api.sexyun.net from 192.168.1.1
Dec 18 00:00:36 dnsmasq[844]: cached api.sexyun.net is NODATA-IPv6
Dec 18 00:00:46 dnsmasq[844]: query[A] api.sexyun.net from 192.168.1.1
Dec 18 00:00:46 dnsmasq[844]: cached api.sexyun.net is 8.8.8.8
Syslog on router:
Code:
Dec 17 22:34:05 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=184.54.195.91 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=15218 PROTO=TCP <1>SPT=21054 DPT=23 SEQ=401719752 ACK=0 WINDOW=9542 RES=0x00 SYN URGP=0
Dec 17 22:35:08 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=139.162.72.191 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP <1>SPT=60683 DPT=3127 SEQ=2072652883 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 17 22:35:18 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=196.52.43.60 DST=ROUTER_IP <1>LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=40030 PROTO=TCP <1>SPT=51878 DPT=2161 SEQ=1029723623 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)
Dec 17 22:36:36 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=176.119.7.10 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=8541 PROTO=TCP <1>SPT=48282 DPT=27965 SEQ=3091434920 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:38:47 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=41.140.173.118 DST=ROUTER_IP <1>LEN=40 TOS=0x08 PREC=0x00 TTL=43 ID=27986 PROTO=TCP <1>SPT=61904 DPT=23 SEQ=401719752 ACK=0 WINDOW=54064 RES=0x00 SYN URGP=0
Dec 17 22:39:19 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=184.105.247.240 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP <1>SPT=55201 DPT=21 SEQ=2872121414 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 17 22:39:30 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=27.204.152.81 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=36730 PROTO=TCP <1>SPT=49579 DPT=22 SEQ=401719752 ACK=0 WINDOW=46032 RES=0x00 SYN URGP=0
Dec 17 22:39:54 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=196.52.43.130 DST=ROUTER_IP <1>LEN=125 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=UDP <1>SPT=55258 DPT=1900 LEN=105
Dec 17 22:40:08 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=5.188.206.245 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=53679 PROTO=TCP <1>SPT=8080 DPT=5007 SEQ=843318248 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:40:15 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=176.119.7.50 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=53639 PROTO=TCP <1>SPT=56054 DPT=8921 SEQ=2550477462 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:41:08 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=185.143.223.53 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=6856 PROTO=TCP <1>SPT=52024 DPT=60000 SEQ=334311776 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:42:21 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=198.108.67.33 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=36 ID=54020 PROTO=TCP <1>SPT=43961 DPT=8871 SEQ=3759870119 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:42:51 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=198.108.66.195 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP <1>SPT=57709 DPT=1521 SEQ=3154517406 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 17 22:42:54 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=176.119.4.18 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=53522 PROTO=TCP <1>SPT=50923 DPT=5135 SEQ=488113365 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:42:56 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=176.119.7.38 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=45188 PROTO=TCP <1>SPT=52016 DPT=3183 SEQ=2908912931 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:43:46 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=176.119.4.18 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=5727 PROTO=TCP <1>SPT=50923 DPT=5101 SEQ=2503918714 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:43:49 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=106.38.113.226 DST=ROUTER_IP <1>LEN=44 TOS=0x00 PREC=0x00 TTL=241 ID=50795 PROTO=TCP <1>SPT=3814 DPT=1433 SEQ=864092730 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020404B0)
Dec 17 22:43:54 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=193.238.46.112 DST=ROUTER_IP <1>LEN=40 TOS=0x08 PREC=0x00 TTL=237 ID=42752 PROTO=TCP <1>SPT=54680 DPT=3390 SEQ=59075574 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:43:59 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=104.131.137.85 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP <1>SPT=54550 DPT=9030 SEQ=543476067 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 17 22:44:00 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=185.176.26.15 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=15193 PROTO=TCP <1>SPT=49393 DPT=54216 SEQ=4142213465 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:44:04 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=50.116.18.33 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP <1>SPT=53721 DPT=1471 SEQ=3705624248 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 17 22:44:08 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=176.119.7.22 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=3304 PROTO=TCP <1>SPT=54223 DPT=3188 SEQ=276218196 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:44:27 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=185.53.91.50 DST=ROUTER_IP <1>LEN=441 TOS=0x08 PREC=0x00 TTL=43 ID=7202 DF PROTO=UDP <1>SPT=6388 DPT=5060 LEN=421
Dec 17 22:44:41 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=78.128.112.94 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=46276 PROTO=TCP <1>SPT=58668 DPT=13442 SEQ=266092942 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:46:01 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=107.174.126.93 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=24435 PROTO=TCP <1>SPT=57609 DPT=1433 SEQ=2635111202 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:46:35 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=176.119.4.7 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=52584 PROTO=TCP <1>SPT=55452 DPT=2895 SEQ=359466991 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 17 22:46:44 kernel: DROP <4>DROP IN=eth0 OUT= MAC=f0:79:59:8a:31:e8:00:01:5c:6b:72:46:08:00 <1>SRC=185.234.216.223 DST=ROUTER_IP <1>LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP <1>SPT=6000 DPT=1433 SEQ=2018639872 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0
Not sure if it matters, ran
top on the router:
Code:
Mem: 133344K used, 106420K free, 0K shrd, 7260K buff, 22628K cached
CPU: 0% usr 0% sys 0% nic 100% idle 0% io 0% irq 0% sirq
Load average: 0.00 0.00 0.00 3/60 2342
PID PPID USER STAT VSZ %MEM %CPU COMMAND
1884 796 p1co S 62920 26% 0% j1d2h7a
400 1 p1co S 5560 2% 0% mastiff
655 422 p1co S 5560 2% 0% mastiff
423 422 p1co S 5560 2% 0% mastiff
422 400 p1co S 5560 2% 0% mastiff
364 1 p1co S 5124 2% 0% httpd -i br0
1 0 p1co S 4916 2% 0% /sbin/init noinitrd
339 1 p1co S 4912 2% 0% /sbin/wanduck
480 1 p1co S 4908 2% 0% ntp
402 1 p1co S 4908 2% 0% erp_monitor
541 1 p1co S 4908 2% 0% usbled
610 1 p1co S 4908 2% 0% disk_monitor
352 1 p1co S 4908 2% 0% wpsaide
184 1 p1co S 4900 2% 0% console
392 1 p1co R 4740 2% 0% networkmap --bootwait
349 1 p1co S 4048 2% 0% /bin/wps_monitor
374 1 p1co S 2748 1% 0% rstats
367 1 p1co S 2428 1% 0% sysstate
542 1 p1co S 2284 1% 0% u2ec
545 544 p1co S 2284 1% 0% u2ec
544 542 p1co S 2284 1% 0% u2ec
2066 2018 p1co S 1652 1% 0% -sh
351 1 p1co S 1652 1% 0% nas
617 1 p1co S 1636 1% 0% /sbin/udhcpc -i eth0 -p /var/run/udhcpc0.pid -s /tmp/udhcpc -O33 -O249
193 184 p1co S 1632 1% 0% /bin/sh
363 1 p1co S 1632 1% 0% crond
2120 1 p1co S 1632 1% 0% crond
2018 1 p1co S 1624 1% 0% telnetd -b 192.168.1.1
2342 2066 p1co R 1624 1% 0% top
2011 1 p1co S 1620 1% 0% /sbin/syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 6
2013 1 p1co S 1620 1% 0% /sbin/klogd -c 5
358 1 p1co S 1544 1% 0% /usr/sbin/acsd
796 1 p1co S 1504 1% 0% j1d2h7a
340 1 p1co S 1384 1% 0% protect_srv
344 340 p1co S 1384 1% 0% protect_srv
345 344 p1co S 1384 1% 0% protect_srv
543 1 p1co S 1276 1% 0% lpd br0
797 796 p1co S 1268 1% 0% j1d2h7a
384 1 p1co S 1220 1% 0% lld2d br0
347 1 p1co S 1216 1% 0% /bin/eapd
365 1 p1co S 1176 0% 0% /usr/sbin/infosvr br0
361 1 nobody S 1172 0% 0% dnsmasq --log-async
356 1 p1co S 1156 0% 0% /usr/sbin/wlceventd
121 1 p1co S 620 0% 0% hotplug2 --persistent --no-coldplug
789 1 p1co S 248 0% 0% g4d2wkk
192 2 p1co SWN 0 0% 0% [jffs2_gcd_mtd4]
51 2 p1co SW 0 0% 0% [pdflush]
3 2 p1co SWN 0 0% 0% [ksoftirqd/0]
100 2 p1co SW< 0 0% 0% [mtdblockd]
4 2 p1co SW< 0 0% 0% [events/0]
217 2 p1co SW< 0 0% 0% [khubd]
53 2 p1co SW< 0 0% 0% [aio/0]
2 0 p1co SW< 0 0% 0% [kthreadd]
510 2 p1co SW< 0 0% 0% [scsi_eh_0]
511 2 p1co SW< 0 0% 0% [usb-storage]
117 2 p1co SW< 0 0% 0% [kmmcd]
52 2 p1co SW< 0 0% 0% [kswapd0]
5 2 p1co SW< 0 0% 0% [khelper]
19 2 p1co SW< 0 0% 0% [kblockd/0]
^ the telnet session is my connection
