Hi @Dan15 

Thanks for posting in our business forum.

Dan15 wrote

I'm seeing these logs in my DNS server (AdGuard Home). Has anyone seen this before or know what these requests are? Both devices are EAP670 (US) v1.0 on firmware 10.1.12 build 20230922 and I'm using a software controller running in Docker. Searching Google for "TP-Link Omada del" is... not useful at all.

 

 

Since I don't have this model. I have 620 and 660. I tried to Wireshark from them. I don't see they actually sent a DNS.

Can you please Wireshark this and provide the screenshots of your results?

@Hank21 Please follow this up and feedback on this.

  @Dan15

I have multiple 670's in play and not seeing this on my side... 

I'm going to assume it's in your configuration.  

ndb217 wrote

I provided a packet trace in an above reply. I can generate a new one if you'd like, but it will look exactly the same.

Hi @ndb217 

We haven't found any similar issues. May I suggest you check the configuration on your site? You may try to use Wireshark to capture packets. And share the screenshots of your capture.

@Dan15@reynhartono If you encountered the similar issues, please also help to provide the screenshots. Thanks.

Hi @ndb217 
Thanks for posting in our business forum.

ndb217 wrote

I provided a packet trace in an above reply. I can generate a new one if you'd like, but it will look exactly the same.

That is NOT Wireshark capture. Are you sure about your statement? That only looks like a log on your DNS server. What does this IP mean? "10.10.10.8"? Where is the destination IP and port?

Requesting a Wireshark result of it. And you did not provide your IP and network diagram. Please provide screenshots of your capture which shows the source is coming from the EAP and what domain it requested. It is in plain text. Your diagram as well so I can understand your capture.

@Dan15 @reynhartono @ndb217 

e.g. DNS in plain text, I want to see if it is requesting "del" or whatever you or OP described. Because your DNS server logs "del" which I think might be a mistake on the DNS server failing to recognize the proper DNS queries.

I have requested a model EAP670 from the warehouse and waiting for its arrival and place it at my home where I have both DNS servers and check it out.

Hi @ndb217 

Thanks for posting in our business forum.

ndb217 wrote

  @Clive_A Yes, I am aware that it is not wireshark - it is a packet capture using tcpdump (and sumirily libpcap) directly, the same library that wireshark uses and generating the same output data. I cannot use wireshark from this system, it has no GUI, but what I have provided is functionally the same data you'd get from wireshark without the color formatting. 

 

sudo tcpdump host 10.10.10.8 -vvv -s 1500 

 

I am sniffing the entire 1500 bytes and generating verbose output for the host 10.10.10.8, which is the wireless AP. resolver1 is the recursive DNS resolver. 10.10.10.8.58768 is the source address and port. 

 

If you look at the format, it's pretty much the same: 

 

                    

22:08:26.844151 IP (tos 0x0, ttl 63, id 64535, offset 0, flags [DF], proto UDP (17), length 49) 10.10.10.8.58768 > resolver1: [udp sum ok] 1484+ A? del. (21)

 

 

However, if you require wireshark formatting, I can generate that with tshark: 

 

ndb217@rdns2 ~ % sudo tshark host 10.10.10.8 and port 53
Capturing on 'eth0'
 ** (tshark:131477) 08:45:42.280497 [Main MESSAGE] -- Capture started.
 ** (tshark:131477) 08:45:42.281036 [Main MESSAGE] -- File: "/tmp/wireshark_eth0R43DL2.pcapng"
    1 0.000000000 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0x06a1 A del
    2 0.000809213  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x06a1 No such name A del
    3 0.015186109 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0xb55c A del
    4 0.015958211  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xb55c No such name A del
    5 0.026361021 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0x1084 A del
    6 0.026942570  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x1084 No such name A del
    7 0.040128553 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0xa82c A del
    8 0.040741546  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xa82c No such name A del
    9 2.134361507 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0x4587 A del
   10 2.135289533  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x4587 No such name A del
   11 2.147535045 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0xb589 A del
   12 2.148336851  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xb589 No such name A del
   13 2.164157045 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0xa362 A del
   14 2.164773946  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xa362 No such name A del
   15 2.178416498 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0x5784 A del
   16 2.178975751  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x5784 No such name A del
   17 6.307694106 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0x5196 A del
   18 6.308584985  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x5196 No such name A del
   19 6.320056709 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0x50d0 A del
   20 6.320782442  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x50d0 No such name A del
   21 6.332850604 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0x866b A del
   22 6.333417524  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0x866b No such name A del
   23 6.348966758 10.10.10.8 → 10.10.9.53  DNS 63 Standard query 0xc6c5 A del
   24 6.349556270  10.10.9.53 → 10.10.10.8 DNS 63 Standard query response 0xc6c5 No such name A del

 

 

I have no A record for "del", and never have. I an unwilling to upgrade to the latest version because when I had that runnig a few weeks ago my APs were so unstable that they would cause outages requiring a manual reboot multiple times per day or would reboot on their own. I am willing to make changes to the controller, but I would like to do that in a measured way to better understand what is causing this and why. Simply erasing the controller and rebuilding, while there is a small chance it will the issue, is not a solution. It provides no causaility and simply triggering the bug will likely happen again.  

 

My network is fairly straightforward, a diagram containing the relevant L3 is below. the IW WAPs are used exclusively for ethernet ports and do not provide wireless, only the 670s do wireless.  

This is very helpful and things are clear now. Thanks for the detailed information. It pretty much nails the fact that there are "del" requests from the EAP.

@KimcheeGUN So since you have the EAP670 now, mine are under the transition from the warehouse, can you try to Wireshark and see what you got from your end? Appreciate it if you could do that and for your time.

@Hank21 Please follow it up and inform the related teams about this. OP and ndb have listed their firmware and HW versions.