cache full, not storing since 7.14

mikegleasonjr · Thu Mar 07, 2024 1:39 pm

I was on 7.13.X previously, never had this message in the log.

I don't use cache on DNS queries (it is cached upstream) so my config is this:

/ip dns set allow-remote-requests=yes cache-max-ttl=0s servers=X.X.X.X

Since 7.14, I get a lot of spam in the logs on every DNS request:

cache full, not storing

buffer: memory
topics: dns, error

Please allow us to disable the cache in some other way or revert the log message!

Thu Mar 07, 2024 2:45 pm

What device are you using ?
If it is a device with 16Mb storage, 7.14 can be a 'challenge' depending on your config.

Side note:
If you do not want to use dns cache at all, you may also want to change this

/ip dns set allow-remote-requests=yes

Set to no.

From Help pages

allow-remote-requests (yes | no; Default: no)
Specifies whether to allow router usage as a DNS cache for remote clients. Otherwise, only the router itself will use DNS configuration.

mikegleasonjr · Thu Mar 07, 2024 4:31 pm

1) It has nothing do to with device memory

2) It has nothing to do with allowing remote requests

rextended · Thu Mar 07, 2024 4:56 pm

3) So you already know the answer.

mikegleasonjr · Thu Mar 07, 2024 7:07 pm

Yes they introduced a bug where when making a DNS request that can't be added to the DNS cache, it thinks the cache is full when the TTL is just actually 0 (the only way to disable the cache).

It has nothing to do with my 423.0 MiB available on device especially when the log outputs to memory as reported.

It has nothing to do with allowing external requests to the DNS server.

lekozs · Mon Mar 11, 2024 1:02 pm

... the sad thing is, that this bug hasn't been fixed either in 7.14.1 or in 7.15 beta6

mikegleasonjr · Mon Mar 11, 2024 5:50 pm

@lekozs

EDIT: Nope, message re-appeared after one day, still have the bug
ORIGINAL MESSAGE:

I don't know about you but I don't have the messages anymore in 7.14.1

pazuwu · Mon Mar 18, 2024 2:52 pm

I wonder if their support is aware of this issue or should a request be open...?

Mon Mar 18, 2024 3:20 pm

In case of doubt, always create support request incl. supout.rif.

phin · Sun Apr 07, 2024 9:58 am

I am seeing this as well since upgrading from 7.13 this week. I have created a ticket in reference to the issue.

I found disabling "allow remote request" and re-enabling it seems to fix it. I am not certain if that's temporary or not.

edit: scratch that, it started again..

pazuwu · Sat Apr 13, 2024 9:27 am

I've also opened a support ticket and linked them to this thread. Will see how it goes.

phin · Sat Apr 13, 2024 3:49 pm

Ya i have yet to get a response.

scartzulesc · Mon Apr 29, 2024 12:35 pm

I was on 7.13.X previously, never had this message in the log.

I don't use cache on DNS queries (it is cached upstream) so my config is this:
Code: Select all
/ip dns set allow-remote-requests=yes cache-max-ttl=0s servers=X.X.X.X
Since 7.14, I get a lot of spam in the logs on every DNS request:

cache full, not storing

buffer: memory
topics: dns, error

Please allow us to disable the cache in some other way or revert the log message!

Hello,
I had the same issue and solved it by setting a firewall rule to block outside requests on port 53 UDP, The MK DNS server was acting as a public DNS server.

rextended · Tue Apr 30, 2024 12:45 pm

Hello,
I had the same issue and solved it by setting a firewall rule to block outside requests on port 53 UDP, The MK DNS server was acting as a public DNS server.

Your failure: As usual, in this cases, either you configured the firewall badly, or thinking you were the smartest you deleted the default rules that prevent this (and other things) from happening.

scartzulesc · Tue Apr 30, 2024 2:12 pm

Hello,
I had the same issue and solved it by setting a firewall rule to block outside requests on port 53 UDP, The MK DNS server was acting as a public DNS server.
Your failure: As usual, in this cases, either you configured the firewall badly, or thinking you were the smartest you deleted the default rules that prevent this (and other things) from happening.

If my memory serves me right, the default settings for the MK firewall do not include a rule to block UDP traffic on port 53.
My sole oversight was not executing the correct takeover of the router. This was amid a sequence of transitions, starting with a change in the main provider. The former provider assigned IPs via DHCP, but then we switched to a provider that used PPPoE, and the existing rule was set for WAN1. Initially, this was fine, but after the transition to the new PPPoE provider, the rule ceased to apply, which went unnoticed until internet connection issues began to surface.

Tue Apr 30, 2024 2:15 pm

If my memory serves me well default firewall blocks ALL incoming traffic which did not earlier originate from the inside of your network.
Without exception (apart from ICMP).

But I could be wrong ...

rextended · Tue Apr 30, 2024 3:30 pm

The default firewall rules dropping all on input at the end, so if not allowed before, nothing is allowed after.

If you write "If my memory serves me well " it is because you have deleted the default rules, so you cannot recheck them, sinning of pride.

v6, but are like the same for v7
viewtopic.php?f=13&t=175129&p=856824#p856824

extract code

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

scartzulesc · Thu May 02, 2024 9:11 pm

If my memory serves me well default firewall blocks ALL incoming traffic which did not earlier originate from the inside of your network.
Without exception (apart from ICMP).

But I could be wrong ...

Since I am not a full-time MK/RouteOS admin (only from time to time), thank you for your clarification.

scartzulesc · Thu May 02, 2024 10:05 pm

The default firewall rules dropping all on input at the end, so if not allowed before, nothing is allowed after.

If you write "If my memory serves me well " it is because you have deleted the default rules, so you cannot recheck them, sinning of pride.
As I said before this was not my building, my only error was I didn't do the proper take-over, as a "sign of pride" (I think this you meant, please correct me if I am mistaking) not at all, more sign of shame . . . . as I hope you can understand as a fellow tech DB. . . . .

v6, but are like the same for v7
viewtopic.php?f=13&t=175129&p=856824#p856824

extract code
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

In the end in possible conclusion: this issue might not be a bug just a misconfiguration of the firewall where some "default" rules were deleted or any other rule in "sign of pride"

neilticktin · Tue Jul 09, 2024 11:42 pm

Anyone see any updates on this? We're seeing a log full of these errors even though, as mentioned, there's plenty of free memory.

erlinden · Wed Jul 10, 2024 9:37 am

Cache size is configurable, you might want to increase the memory (if you haven't tried already?):

/ip dns
set cache-size=20480KiB

jfim88 · Wed Jul 10, 2024 9:16 pm

I've seen the same in log today. 7.16beta4. Using DOH with NextDNS.

sharkys · Mon Jul 15, 2024 7:22 pm

Same for me, full dns - flush do not help.

autonomous · Tue Jul 16, 2024 4:53 am

Same here on 7.16beta4.

16384KiB of cache memory allocated, only 2839 KiB used, and yet my logs are full of repeating "cache full, not storing" which continue to fire.

I have not performed packet captures on the outbound interface to see if it really is looking them up every time or if this is an erroneous error they introduced when adding Adblock with DoH.

Has anyone fired a report to Mikrotik officially to make sure they know about this, or do they stop in here too?

autonomous · Tue Jul 16, 2024 4:56 am

I've also opened a support ticket and linked them to this thread. Will see how it goes.

thank you for doing that!

Tue Jul 16, 2024 9:12 am

I've seen the same in log today. 7.16beta4. Using DOH with NextDNS.

different issue, wrong topic

Tue Jul 16, 2024 9:13 am

This topic has many people each with a different issue, please all calm down and stop with the "me too". DoH and v7.16beta is unrelated with cache full message, that is not cleared, after cache is timed out. DoH issues in beta - please go post in the beta topic.

Up to this version the IP/DNS setting cache-size was not properly working. If you see this error in the log, then it means that cache size has reached its maximum size. You can:

1) Increase max cache size;
2) Reduce amount of DNS requests towards cache.

Cache will not store responses from the DNS server, but it will send replies from the server to clients.

We are aware that log message continues to be written even if you "flush" cache. DNS at that point will again store replies in the cache, however, log will print false warnings. This is a known issue which will be resolved

mikegleasonjr · Sun Jul 28, 2024 6:35 am

duplicate: viewtopic.php?p=1088073

mikegleasonjr · Thu Sep 05, 2024 8:57 pm

This topic has many people each with a different issue, please all calm down and stop with the "me too". DoH and v7.16beta is unrelated with cache full message, that is not cleared, after cache is timed out. DoH issues in beta - please go post in the beta topic.

Up to this version the IP/DNS setting cache-size was not properly working. If you see this error in the log, then it means that cache size has reached its maximum size. You can:

1) Increase max cache size;
2) Reduce amount of DNS requests towards cache.

Cache will not store responses from the DNS server, but it will send replies from the server to clients.

We are aware that log message continues to be written even if you "flush" cache. DNS at that point will again store replies in the cache, however, log will print false warnings. This is a known issue which will be resolved

Thanks for acknowledging the issue.

As said earlier in this post, I don't want to cache any entries myself so it's not about a cache size or memory issue.

As of today and package `7.15.3` version, it is still occuring.

Thank you

merlofran · Sat Sep 21, 2024 5:25 pm

Hello everyone...
I don't know if I'm in time with this answer, but I've had the same problem and I've solved it at least in my case, deleting the parameters added in the "Adlist" option. I noticed that since I added that parameter I started to receive the cache full notice. Good luck to all and I hope the tip serves you

mikegleasonjr · Tue Oct 22, 2024 2:19 pm

Still occuring, still not fixed.. here is my configuration and some runtime infos:

[admin@rb4011] > /ip/dns print
                      servers: <redacted>
              dynamic-servers: 
               use-doh-server: 
              verify-doh-cert: no
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 0s
      address-list-extra-time: 0s
                          vrf: main
           mdns-repeat-ifaces: 
                   cache-used: 2048KiB

[admin@rb4011] > /ip/dns/cache print 
Flags: S - STATIC
Columns: NAME, TYPE, DATA, TTL
 #   NAME        TYPE   DATA         TTL
 0 S <redacted>  A      <redacted>   0s 
 1 S <redacted>  A      <redacted>   0s 
 2 S <redacted>  A      <redacted>   0s 
 3 S <redacted>  CNAME  <redacted>.  0s 
 4 S <redacted>  CNAME  <redacted>.  0s 
 5 S <redacted>  CNAME  <redacted>.  0s 
 6 S <redacted>  CNAME  <redacted>.  0s 
 7 S <redacted>  CNAME  <redacted>.  0s 
 8 S <redacted>  CNAME  <redacted>.  0s 
 9 S <redacted>  CNAME  <redacted>.  0s 
10 S <redacted>  CNAME  <redacted>.  0s 
11 S <redacted>  CNAME  <redacted>.  0s 
12 S <redacted>  CNAME  <redacted>.  0s 
13 S <redacted>  CNAME  <redacted>.  0s 
14 S <redacted>  CNAME  <redacted>.  0s 
15 S <redacted>  CNAME  <redacted>.  0s 
16 S <redacted>  CNAME  <redacted>.  0s 
17 S <redacted>  CNAME  <redacted>.  0s 
18 S <redacted>  CNAME  <redacted>.  0s 
19 S <redacted>  CNAME  <redacted>.  0s 
20 S <redacted>  CNAME  <redacted>.  0s 
21 S <redacted>  CNAME  <redacted>.  0s 
22 S <redacted>  CNAME  <redacted>.  0s 
23 S <redacted>  A      <redacted>   0s 
24 S <redacted>  A      <redacted>   0s 
25 S <redacted>  CNAME  <redacted>.  0s 
26 S <redacted>  A      <redacted>   0s 
27 S <redacted>  CNAME  <redacted>.  0s 
28 S <redacted>  A      <redacted>   0s 
29 S <redacted>  A      <redacted>   0s 
30 S <redacted>  A      <redacted>   0s 
31 S <redacted>  A      <redacted>   0s 
32 S <redacted>  CNAME  <redacted>.  0s 
33 S <redacted>  CNAME  <redacted>.  0s 
34 S <redacted>  CNAME  <redacted>.  0s 
35 S <redacted>  CNAME  <redacted>.  0s 
36 S <redacted>  A      <redacted>   0s 
37 S <redacted>  A      <redacted>   0s 
38 S <redacted>  A      <redacted>   0s 
39 S <redacted>  A      <redacted>   0s 
40 S <redacted>  CNAME  <redacted>.  0s 
41 S <redacted>  CNAME  <redacted>.  0s 
42 S <redacted>  CNAME  <redacted>.  0s 
43 S <redacted>  CNAME  <redacted>.  0s

[admin@rb4011] > /ip/dns/ export 
# 2024-10-22 12:09:18 by RouterOS 7.16.1
# software id = <redacted>
#
# model = RB4011iGS+
# serial number = <redacted>

/ip dns
    set allow-remote-requests=yes cache-max-ttl=0s servers=<redacted>

/ip dns static
    add address=<redacted> name=<redacted> type=A
    add address=<redacted> name=<redacted> type=A
    add address=<redacted> name=<redacted> type=A
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add address=<redacted> name=<redacted> type=A
    add address=<redacted> name=<redacted> type=A
    add cname=<redacted> name=<redacted> type=CNAME
    add address=<redacted> name=<redacted> type=A
    add cname=<redacted> name=<redacted> type=CNAME
    add address=<redacted> name=<redacted> type=A
    add address=<redacted> name=<redacted> type=A
    add address=<redacted> name=<redacted> type=A
    add address=<redacted> name=<redacted> type=A
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add address=<redacted> name=<redacted> type=A
    add address=<redacted> name=<redacted> type=A
    add address=<redacted> name=<redacted> type=A
    add address=<redacted> name=<redacted> type=A
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME
    add cname=<redacted> name=<redacted> type=CNAME

[admin@rb4011] > /system/script export 
# 2024-10-22 12:13:12 by RouterOS 7.16.1
# software id = <redacted>
#
# model = RB4011iGS+
# serial number = <redacted>
/system script
    add dont-require-permissions=no name=<redacted> owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":do {\r\
        \n    :resolve www.example.com server (redacted)\r\
        \n    :if ([/ip dns get servers] != \"(redacted)\") do={\r\
        \n        /ip dns set servers=\"(redacted)\"\r\
        \n        :log info \"Restored DNS server to (redacted)\"\r\
        \n    }\r\
        \n} on-error={\r\
        \n    :if ([/ip dns get servers] != \"(redacted)\") do={\r\
        \n        /ip dns set servers=\"(redacted)\"\r\
        \n        :log error \"DNS server (redacted) down, using (redacted)\"\r\
        \n    }\r\
        \n}"


[admin@rb4011] > /system scheduler export 
# 2024-10-22 12:14:02 by RouterOS 7.16.1
# software id = <redacted>
#
# model = RB4011iGS+
# serial number = <redacted>

/system scheduler
    add interval=30s name=<redacted> on-event=check-dns policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2002-01-01 start-time=00:00:00

I set

cache-max-ttl=0s

to avoid caching DNS entries because I do the caching on the upstream server.

infabo · Tue Oct 22, 2024 8:14 pm

Does it help to set cache-size=0?

gmdemaria · Sun Nov 10, 2024 5:54 am

In my case the error was resolved after the update to version 7.16.1 , it was not a real error for space because i didn't increase the cache size
I just apply the update.
Regards

PHSman · Sun Dec 01, 2024 12:32 am

same problem with 7.16.1 but with 7.16.2 it seems to be gone...

robinpecha · Tue Dec 17, 2024 3:30 pm

I was on 7.13.X previously, never had this message in the log.

I don't use cache on DNS queries (it is cached upstream) so my config is this:
Code: Select all
/ip dns set allow-remote-requests=yes cache-max-ttl=0s servers=X.X.X.X
Since 7.14, I get a lot of spam in the logs on every DNS request:

cache full, not storing

buffer: memory
topics: dns, error

Please allow us to disable the cache in some other way or revert the log message!
Hello,
I had the same issue and solved it by setting a firewall rule to block outside requests on port 53 UDP, The MK DNS server was acting as a public DNS server.

SOLVED TOO
Exactly, I have switched from ip behind na to public ip on my main mikrotik router and I forget that Allow remote request is enabling requests not only for LAN but also for WAN!
I have interface lists where are my wan interfaces grouped so I just simply drop all remote requests targeting the WAN interface:

/ip firewall filter add chain=input protocol=udp dst-port=53 in-interface-list=WAN action=drop comment="Block DNS requests from WAN"
/ip firewall filter add chain=input protocol=tcp dst-port=53 in-interface-list=WAN action=drop comment="Block DNS requests from WAN"

erlinden · Tue Dec 17, 2024 3:59 pm

Exactly, I have switched from ip behind na to public ip on my main mikrotik router and I forget that Allow remote request is enabling requests not only for LAN but also for WAN!

It shouldn't as the default firewall rules only allows calls from LAN (interace list). Perhaps have a good look at your current firewall rules?

mirolm · Tue Dec 17, 2024 4:33 pm

If you add such rules it is better to drop the packets in the prerouting stage.

/ip firewall filter add chain=prerouting action=drop in-interface-list=WAN dst-port=53 protocol=udp
/ip firewall filter add chain=prerouting action=drop in-interface-list=WAN dst-port=53 protocol=tcp

Tue Dec 17, 2024 4:42 pm

Even better to not allow anything from WAN except VPN and established,related,etc.
Oh wait ... that's done by default firewall rules ...

elektrik2 · Wed Feb 12, 2025 10:10 am

The problem has not been resolved in the latest versions. I have CHR 7.17.1 and I get the error - cache full, not storing

Jotne · Thu Feb 13, 2025 8:28 am

I did see this in an RB951 upgrade from 7.16 to 7.18beta6 as well.
Not sure if it has anything to do with it, or just the second reboot fixed it.
Router is within a LAN, with just some other devices, so no access from Internet to router.

Example messages

2025-02-13T06:06:43.863+0000 RB951-test CEF:0|MikroTik|RB951Ui-2HnD|7.18beta6 (testing)|65|dns,error|High|dvchost=RB951-test msg=serial\=5581045C386A MikroTik: cache full, not storing [ignoring repeated messages]
2025-02-13T06:06:43.863+0000 RB951-test CEF:0|MikroTik|RB951Ui-2HnD|7.18beta6 (testing)|65|dns,error|High|dvchost=RB951-test msg=serial\=5581045C386A MikroTik: cache full, not storing