MikroTik

I've been using Mikrotik's DNS Cache server and notice that every hour for anywhere from 30 seconds to a minute and a half, DNS queries fail. I can still ping by IP but not by name. Looking at the profiler, I can see that DNS consumes 100% of CPU during this time, which is followed by Flash consuming much CPU and then unclassified. I do have approximately 10000 static entries. I presume this is part of the issue. I am running a RB1200 with 1.5GB RAM on the latest, RouterOS 5.22. I have played around with allocating various amount of memory to DNS to no avail. Is it true that 10M is max memory that can be used for DNS?

I am not sure where to begin troubleshooting this issue. Any thoughts on where to begin tracking down this problem?

what you have set up in /ip dns settings? (except static entries) what is cache usage and how much cache you have free?

servers: 8.26.56.26,8.20.247.20,198.153.192.40,198.153.194.40,
8.8.4.4,8.8.8.8
dynamic-servers:
allow-remote-requests: yes
max-udp-packet-size: 512
cache-size: 10240KiB
cache-max-ttl: 1w
cache-used: 10062KiB



Previously, I've used up to 4096 as max-udp-packet-size and I've allocated as much as 128MB to cache. It doesn't appear to solve it.

By dumb luck, I may have stumbled upon it. I had my Dude server down during the last hour's interval and DNS did not go down. Perhaps something in the Dude is hammering my DNS? For now, on the Dude I've disabled the monitoring of the DNS service on this router. Any ideas what other settings in the Dude would do this? I've switched so that machine is not using this router as DNS at all now also. At the next scheduled interval, I will see if the behavior has changed and report back.

Does anyone know what the max cache-used can be for DNS proxy? I saw in the documentation 10240KB, but it allows you to put in higher values.

Well I disabled a bunch of DNS type of settings in the Dude and it still does it. When I'm in winbox and DNS is consuming 100% of CPU, in IP->DNS, it shows "allow remote requests" as unchecked and no servers are filled in. Would this be due to winbox not having loaded all the way or perhaps it is actually not caching at that point? Perhaps I should be running DNS on a separate server? Do you guys recommend Power DNS or BIND or another? I'd like to use my rather large block list either way.

Frego - I am having the same problem with my rb450g. If I turn on "allow remote requests" the CPU almost immediately went to 100%. Now, I was tinkering with it and turned that option from on to off and then on again when the cache had about 400 items in it. (around 200 IPs were using it for caching)

I just now flushed it and turned it back on again. Cache starting to refill, CPU at around 10% right now....

Software is 5.22

MAX UDP packet size is 512
cache size is 10240

I have only my upstream providers DNS IPs in the Mikrotik at this point. (Under DNS settings, and also under Static, and DHCP server DNS settings.

I would like to know what fixes this.

OK, I have had this running for a little while now. I currently only have about 40 IPs using the cache/DNS.

Roughly 350 items in the cache, CPU is now 50%-60% load.

I have a maximum of 13MB of data going through it.

I have an update to report. I have disabled DNS on the router I was having this problem with. However, I still have a ton of static DNS entries. What I noticed is that still once a day or so, at uneven intervals, CPU will still peg at 100% with DNS consuming it all. I have come to believe that it is tied to flash memory and that the number of static entries I have must be the cause of that. I think there is some housekeeping thread that may be causing this rather poor use of resources.

Same problem on my RB751G-2HnD. Profile shows 80% usage on DNS. Disallowing remote requests helps, but it not solution for this problem. I created packet filter rule, that drops DNS requests (UDP traffic on port 53) from all but local subnet (192.168.0.0/24). CPU usage drops from 70-80% to 3-4%, and profiling not showing DNS percentage. It seems that some bots use Mikrotik as DNS-server for some purposes and genering lots of requests.

Just bumping this old request as the most likely cause is that you are having DNS attacks from outside your network since you have allow remote connections open. You need to firewall that up.

Same problem on my RB751G-2HnD. Profile shows 80% usage on DNS. Disallowing remote requests helps, but it not solution for this problem. I created packet filter rule, that drops DNS requests (UDP traffic on port 53) from all but local subnet (192.168.0.0/24). CPU usage drops from 70-80% to 3-4%, and profiling not showing DNS percentage. It seems that some bots use Mikrotik as DNS-server for some purposes and genering lots of requests.

Hey seidizem, it seems you are right.
I saw lots of posts around the internet, where people even change their hardware thinking they got bottle neck on their cpu usage.
I had same problem on my 951G-2HnD and the firewall rule together nat for the DNS requests, solved my problem.

Thanks!

Hello, this work for me

check this

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=wan protocol=udp

http://srijit.com/how-to-protect-your-m ... s-attacks/

It is not the good method. This article describes only to block port 53 but in fact you should block all
new input packets from the internet interface.
Note that this is already the default. When you have a problem you have either modified the default
firewall, or you have modified the internet port without adjusting the firewall accordingly.
(this happens because of sub-optimal configuration of the default firewall, which they don't want to fix)

When you use PPPoE make sure that the interface "ether1-gateway" in the firewall is changed to your
PPPoE interface in the rule that drops incoming traffic from that interface.

The main issue of DNS is that it does not support multi-thread. It can load only one CPU and it`s easy to reach 100%. In this case even powerful CCR1072 is nothing against DNS request. If DNS service supports multi-thread, would be very nice.

A good place to see these attacks visually is under the connections tab on firewall. Knowing the total number of connections under normal use is a good way to spot abnormal traffic. As an example, on my home router, I know that anything over 5 or 600 connections means something weird is happening.

When your DNS ports are open to the internet, you will have multiple thousands of connections on port 53 UDP. Under the connections tab, you will spot this instantly.

In case of DNS attack, it something very easy to stop/block. In case of my hotspot routers, lot of clients ask DNS from the router and CCR1072 become slow on DNS query. But actually CCR1072 can handle thousands of hotspot clients except DNS server role. I implemented separate DNS server to handle it, which I hate when RouterOS supports DNS server.

I think the limit in DNS query handling for normal usage is not as much the CPU usage but
a limit in the number of unanswered queries, apparently some table inside the DNS server.
When lots of queries are forwarded, at some point this table becomes full.

To anyone having this problem - the first thing to check is whether your router is being used as a DDoS amplifier.

As stated earlier in the thread, look in the firewall connections table for DNS traffic on the WAN interface. If you see DNS traffic to/from anything other than the router's configured DNS resolvers, then you're being exploited in a DDoS because your firewall rules aren't blocking it.

This is a very common issue on the forums here.
Block all incoming new requests on the WAN interface in the INPUT chain of the FILTER firewall rules! If you require some kind of admin access from the WAN side, then make one rule which allows exactly the port you requre (e.g. Winbox) and only from your known remote site(s) which require access. Place this exception earlier in the INPUT chain than the default "throw away everything on the WAN interface" rule, and you're set.

The problem is that otgooneo has hijacked an old thread that was about DNS resolver abuse due to badly configured
firewall and is now talking about his DNS resolver performance during high load, which is a completely different subject.

I’m using microtick router board 750 & 450G both router problem is CPU Usage 100%, than internet gatway block and slow the internet. we have user this router connect 50-60 user 9 AM to 6 PM. how to problem .

I’m using microtick router board 750 & 450G both router problem is CPU Usage 100%, than internet gatway block and slow the internet. we have user this router connect 50-60 user 9 AM to 6 PM. how to problem .

What is using the CPU? Check Tools > Profiles and see. This thread is about DNS where it looks as the OP did not firewall the outside world from requesting DNS from the router.

Yours may be different.

I have been having the same problem. I finally set the cache time on the dns to 00:00:00. Now CPU time is much lower.

Things are going much better now.