EAP670 sending DNS request for "del" around once per second
I'm seeing these logs in my DNS server (AdGuard Home). Has anyone seen this before or know what these requests are? Both devices are EAP670 (US) v1.0 on firmware 10.1.12 build 20230922 and I'm using a software controller running in Docker. Searching Google for "TP-Link Omada del" is... not useful at all.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Dan15
Thanks for posting in our business forum.
Dan15 wrote
I'm seeing these logs in my DNS server (AdGuard Home). Has anyone seen this before or know what these requests are? Both devices are EAP670 (US) v1.0 on firmware 10.1.12 build 20230922 and I'm using a software controller running in Docker. Searching Google for "TP-Link Omada del" is... not useful at all.
Since I don't have this model. I have 620 and 660. I tried to Wireshark from them. I don't see they actually sent a DNS.
Can you please Wireshark this and provide the screenshots of your results?
@Hank21 Please follow this up and feedback on this.
- Copy Link
- Report Inappropriate Content
I have multiple 670's in play and not seeing this on my side...
I'm going to assume it's in your configuration.
- Copy Link
- Report Inappropriate Content
@KimcheeGUN It very well could be in our confguration, but I assert that even if there is a configuration parameter causing it that 220030 queries over 7 days from 2 access points, that is a bug. There is no practical reason whatsoever to do queries at that rate and for the same name, regardless of the cause.
I provided a packet trace of the queries, they're not terribly interesting outside of the fact that they are relentless and identical.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
I have a EAP670 too, so your thread triggered me to check my pihole to see if I'm having the same issue. While I can't find the request for `del`, there are some regular A and AAAA record requests for `eap670`. But the same is also happening on all of my EAP613s.
Note: My EAP670 is currently running on 1.0.14 firmware, but I also checked for historical data when it's still running on 1.0.13, can't find the `del` request either.
- Copy Link
- Report Inappropriate Content
ndb217 wrote
I provided a packet trace in an above reply. I can generate a new one if you'd like, but it will look exactly the same.
Hi @ndb217
We haven't found any similar issues. May I suggest you check the configuration on your site? You may try to use Wireshark to capture packets. And share the screenshots of your capture.
@Dan15@reynhartono If you encountered the similar issues, please also help to provide the screenshots. Thanks.
- Copy Link
- Report Inappropriate Content
Hi @ndb217
Thanks for posting in our business forum.
ndb217 wrote
I provided a packet trace in an above reply. I can generate a new one if you'd like, but it will look exactly the same.
That is NOT Wireshark capture. Are you sure about your statement? That only looks like a log on your DNS server. What does this IP mean? "10.10.10.8"? Where is the destination IP and port?
Requesting a Wireshark result of it. And you did not provide your IP and network diagram. Please provide screenshots of your capture which shows the source is coming from the EAP and what domain it requested. It is in plain text. Your diagram as well so I can understand your capture.
e.g. DNS in plain text, I want to see if it is requesting "del" or whatever you or OP described. Because your DNS server logs "del" which I think might be a mistake on the DNS server failing to recognize the proper DNS queries.
I have requested a model EAP670 from the warehouse and waiting for its arrival and place it at my home where I have both DNS servers and check it out.
- Copy Link
- Report Inappropriate Content
@Clive_A Yes, I am aware that it is not wireshark - it is a packet capture using tcpdump (and sumirily libpcap) directly, the same library that wireshark uses and generating the same output data. I cannot use wireshark from this system, it has no GUI, but what I have provided is functionally the same data you'd get from wireshark without the color formatting.
sudo tcpdump host 10.10.10.8 -vvv -s 1500
I am sniffing the entire 1500 bytes and generating verbose output for the host 10.10.10.8, which is the wireless AP. resolver1 is the recursive DNS resolver. 10.10.10.8.58768 is the source address and port.
If you look at the format, it's pretty much the same:
22:08:26.844151 IP (tos 0x0, ttl 63, id 64535, offset 0, flags [DF], proto UDP (17), length 49) 10.10.10.8.58768 > resolver1: [udp sum ok] 1484+ A? del. (21)
However, if you require wireshark formatting, I can generate that with tshark:
ndb217@rdns2 ~ % sudo tshark host 10.10.10.8 and port 53
Capturing on 'eth0'
** (tshark:131477) 08:45:42.280497 [Main MESSAGE] -- Capture started.
** (tshark:131477) 08:45:42.281036 [Main MESSAGE] -- File: "/tmp/wireshark_eth0R43DL2.pcapng"
1 0.000000000 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x06a1 A del
2 0.000809213 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x06a1 No such name A del
3 0.015186109 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xb55c A del
4 0.015958211 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xb55c No such name A del
5 0.026361021 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x1084 A del
6 0.026942570 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x1084 No such name A del
7 0.040128553 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xa82c A del
8 0.040741546 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xa82c No such name A del
9 2.134361507 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x4587 A del
10 2.135289533 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x4587 No such name A del
11 2.147535045 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xb589 A del
12 2.148336851 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xb589 No such name A del
13 2.164157045 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xa362 A del
14 2.164773946 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xa362 No such name A del
15 2.178416498 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x5784 A del
16 2.178975751 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x5784 No such name A del
17 6.307694106 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x5196 A del
18 6.308584985 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x5196 No such name A del
19 6.320056709 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x50d0 A del
20 6.320782442 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x50d0 No such name A del
21 6.332850604 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x866b A del
22 6.333417524 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x866b No such name A del
23 6.348966758 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xc6c5 A del
24 6.349556270 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xc6c5 No such name A del
I have no A record for "del", and never have. I an unwilling to upgrade to the latest version because when I had that runnig a few weeks ago my APs were so unstable that they would cause outages requiring a manual reboot multiple times per day or would reboot on their own. I am willing to make changes to the controller, but I would like to do that in a measured way to better understand what is causing this and why. Simply erasing the controller and rebuilding, while there is a small chance it will the issue, is not a solution. It provides no causaility and simply triggering the bug will likely happen again.
My network is fairly straightforward, a diagram containing the relevant L3 is below. the IW WAPs are used exclusively for ethernet ports and do not provide wireless, only the 670s do wireless.
- Copy Link
- Report Inappropriate Content
Hi @ndb217
Thanks for posting in our business forum.
ndb217 wrote
@Clive_A Yes, I am aware that it is not wireshark - it is a packet capture using tcpdump (and sumirily libpcap) directly, the same library that wireshark uses and generating the same output data. I cannot use wireshark from this system, it has no GUI, but what I have provided is functionally the same data you'd get from wireshark without the color formatting.
sudo tcpdump host 10.10.10.8 -vvv -s 1500
I am sniffing the entire 1500 bytes and generating verbose output for the host 10.10.10.8, which is the wireless AP. resolver1 is the recursive DNS resolver. 10.10.10.8.58768 is the source address and port.
If you look at the format, it's pretty much the same:
22:08:26.844151 IP (tos 0x0, ttl 63, id 64535, offset 0, flags [DF], proto UDP (17), length 49) 10.10.10.8.58768 > resolver1: [udp sum ok] 1484+ A? del. (21)
However, if you require wireshark formatting, I can generate that with tshark:
ndb217@rdns2 ~ % sudo tshark host 10.10.10.8 and port 53
Capturing on 'eth0'
** (tshark:131477) 08:45:42.280497 [Main MESSAGE] -- Capture started.
** (tshark:131477) 08:45:42.281036 [Main MESSAGE] -- File: "/tmp/wireshark_eth0R43DL2.pcapng"
1 0.000000000 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x06a1 A del
2 0.000809213 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x06a1 No such name A del
3 0.015186109 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xb55c A del
4 0.015958211 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xb55c No such name A del
5 0.026361021 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x1084 A del
6 0.026942570 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x1084 No such name A del
7 0.040128553 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xa82c A del
8 0.040741546 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xa82c No such name A del
9 2.134361507 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x4587 A del
10 2.135289533 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x4587 No such name A del
11 2.147535045 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xb589 A del
12 2.148336851 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xb589 No such name A del
13 2.164157045 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xa362 A del
14 2.164773946 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xa362 No such name A del
15 2.178416498 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x5784 A del
16 2.178975751 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x5784 No such name A del
17 6.307694106 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x5196 A del
18 6.308584985 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x5196 No such name A del
19 6.320056709 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x50d0 A del
20 6.320782442 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x50d0 No such name A del
21 6.332850604 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0x866b A del
22 6.333417524 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x866b No such name A del
23 6.348966758 10.10.10.8 → 10.10.9.53 DNS 63 Standard query 0xc6c5 A del
24 6.349556270 10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xc6c5 No such name A del
I have no A record for "del", and never have. I an unwilling to upgrade to the latest version because when I had that runnig a few weeks ago my APs were so unstable that they would cause outages requiring a manual reboot multiple times per day or would reboot on their own. I am willing to make changes to the controller, but I would like to do that in a measured way to better understand what is causing this and why. Simply erasing the controller and rebuilding, while there is a small chance it will the issue, is not a solution. It provides no causaility and simply triggering the bug will likely happen again.
My network is fairly straightforward, a diagram containing the relevant L3 is below. the IW WAPs are used exclusively for ethernet ports and do not provide wireless, only the 670s do wireless.
This is very helpful and things are clear now. Thanks for the detailed information. It pretty much nails the fact that there are "del" requests from the EAP.
@KimcheeGUN So since you have the EAP670 now, mine are under the transition from the warehouse, can you try to Wireshark and see what you got from your end? Appreciate it if you could do that and for your time.
@Hank21 Please follow it up and inform the related teams about this. OP and ndb have listed their firmware and HW versions.
- Copy Link
- Report Inappropriate Content
@Clive_A Any progress on this? I have gone through my controller and not really seen anything ovbious that would casue the issue. I have not yet started poking at the internals of the EAP.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2736
Replies: 25
Voters 0
No one has voted for it yet.