Flood of DNS requests to NTP server

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Flood of DNS requests to NTP server

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Flood of DNS requests to NTP server
Flood of DNS requests to NTP server
2020-06-03 13:39:04 - last edited 2022-03-22 06:35:32
Model: Deco M9 Plus  
Hardware Version: V1
Firmware Version: Deco M9 Plus(EU)_V1_200324

Hi,

 

Since the last firmware update, I can see a huge increase in DNS requests coming from the Deco units (M9 plus). 

In fact, every second (!) on average there are multiple requests to eu.pool.ntp.org. My logs are being flooded by this.

 

I know this is an NTP server used for time synchronisation, but it is not normal to do this multiple times per second. More like once every hour.

 

A small excerpt from my Pi-Hole logs:

 

Jun  3 14:27:52 dnsmasq[546]: query[AAAA] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:52 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:52 dnsmasq[546]: query[A] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:52 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:53 dnsmasq[546]: query[AAAA] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:53 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:53 dnsmasq[546]: query[A] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:53 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:53 dnsmasq[546]: query[AAAA] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:53 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:53 dnsmasq[546]: query[A] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:53 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:58 dnsmasq[546]: query[AAAA] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:58 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:58 dnsmasq[546]: query[A] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:58 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:59 dnsmasq[546]: query[AAAA] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:59 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:59 dnsmasq[546]: query[A] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:59 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:59 dnsmasq[546]: query[AAAA] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:59 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN
Jun  3 14:27:59 dnsmasq[546]: query[A] eu.pool.ntp.org from 192.168.1.xxx
Jun  3 14:27:59 dnsmasq[546]: cached eu.pool.ntp.org is NXDOMAIN

 

I have three Deco units installed and they are all making these silly requests.

 

Does anyone else experience the same? 

 

  1      
  1      
#1
Options
2 Accepted Solutions
Re:Flood of DNS requests to NTP server-Solution
2020-06-05 09:59:51 - last edited 2022-03-22 06:35:26

@bramdenboer 

Update:

The issue of frequent requests to the NTP server on Deco M9 plus here has been improved since firmware 1.5.x.

Please make sure the firmware of your Deco is up to date.

Thank you very much.

 

Recommended Solution
  0  
  0  
#2
Options
Re:Flood of DNS requests to NTP server-Solution
2020-07-25 07:28:19 - last edited 2020-07-28 07:53:52

@bramdenboer 

 

Furter to this if you map the incorrect domain the Deco is trying to access of eu.pool.ntp.org to the IP address for europe.pool.ntp.org in your pi-hole, the flood of requestly instantly stops, as the Decos can then sync their time successfully. 

 

To find the IP address for the domain, on your local machine:

 

% dig europe.pool.ntp.org 

; <<>> DiG 9.10.6 <<>> europe.pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27888
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;europe.pool.ntp.org.        IN    A

;; ANSWER SECTION:
europe.pool.ntp.org.    121    IN    A    194.158.196.171
europe.pool.ntp.org.    121    IN    A    84.245.9.254
europe.pool.ntp.org.    121    IN    A    85.199.214.99
europe.pool.ntp.org.    121    IN    A    91.209.94.10

;; Query time: 41 msec
;; SERVER: 192.168.68.121#53(192.168.68.121)
;; WHEN: Sat Jul 25 08:23:03 BST 2020
;; MSG SIZE  rcvd: 188

 

Then go to 'Local DNS Records' page on your pi-hole and add a record for eu.pool.ntp.org pointing to any of the IPs in the above list.

 

Obviusly this is just a filthy hack, and a stop gap until the Decos are updated to not try to NTP sync against an non-existenet domain...

 

Recommended Solution
  1  
  1  
#6
Options
18 Reply
Re:Flood of DNS requests to NTP server-Solution
2020-06-05 09:59:51 - last edited 2022-03-22 06:35:26

@bramdenboer 

Update:

The issue of frequent requests to the NTP server on Deco M9 plus here has been improved since firmware 1.5.x.

Please make sure the firmware of your Deco is up to date.

Thank you very much.

 

Recommended Solution
  0  
  0  
#2
Options
Re:Flood of DNS requests to NTP server
2020-06-05 10:15:29

@TP-Link_Deco 

No I haven't because I am using the Deco in Access Point mode so there is no DNS setting to change. 

All my devices (including the Deco) are using my Pi-hole server as a DNS server, that is also the reason I am being able to see which DNS requests are being made from which device. Pi-hole forwards all DNS requests to the public DNS server of my ISP (or an alternative one like Google of CloudFlare DNS).

 

The issues probably lies within the Deco firmware itself, and this only started happening after the new firmware update. Somehow there is some kind of polling mechanism in place that queries the aforementioned NTP server far too often.

  1  
  1  
#3
Options
Re:Flood of DNS requests to NTP server
2020-06-11 11:37:47

@bramdenboer 

Can you try to configure Deco works in the Router mode and check if Deco will have the same problem or not?

  0  
  0  
#4
Options
Re:Flood of DNS requests to NTP server
2020-07-20 21:20:19

@bramdenboer 

Came across this today.

 

This is because pool.ntp.org now uses europe.pool.ntp.org and not eu.ntp.org. Our Deco's are trying to NTP sync using a domain that doesn't exist.

 

Until TP-Link push an update to the Deco's with the correct domain, they're going to keep spamming a non-existent domain, and getting NXDOMAIN as the response.

 

My guess is the speed of requests is due to the fact it's failing to NTP sync because the domain is bad, so is retrying again quickly afterwards. I'm assuming once they're syncing against a valid server, they'll calm down.

  0  
  0  
#5
Options
Re:Flood of DNS requests to NTP server-Solution
2020-07-25 07:28:19 - last edited 2020-07-28 07:53:52

@bramdenboer 

 

Furter to this if you map the incorrect domain the Deco is trying to access of eu.pool.ntp.org to the IP address for europe.pool.ntp.org in your pi-hole, the flood of requestly instantly stops, as the Decos can then sync their time successfully. 

 

To find the IP address for the domain, on your local machine:

 

% dig europe.pool.ntp.org 

; <<>> DiG 9.10.6 <<>> europe.pool.ntp.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27888
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;europe.pool.ntp.org.        IN    A

;; ANSWER SECTION:
europe.pool.ntp.org.    121    IN    A    194.158.196.171
europe.pool.ntp.org.    121    IN    A    84.245.9.254
europe.pool.ntp.org.    121    IN    A    85.199.214.99
europe.pool.ntp.org.    121    IN    A    91.209.94.10

;; Query time: 41 msec
;; SERVER: 192.168.68.121#53(192.168.68.121)
;; WHEN: Sat Jul 25 08:23:03 BST 2020
;; MSG SIZE  rcvd: 188

 

Then go to 'Local DNS Records' page on your pi-hole and add a record for eu.pool.ntp.org pointing to any of the IPs in the above list.

 

Obviusly this is just a filthy hack, and a stop gap until the Decos are updated to not try to NTP sync against an non-existenet domain...

 

Recommended Solution
  1  
  1  
#6
Options
Re:Flood of DNS requests to NTP server
2020-07-27 21:29:39

@jedimasterjonny 

 

I'd spotted the obvious type in their DNS, thanks for the tip on PiHole, I've done just that. Hopefully we won't have to wait another 6 months for a firmware update but I'm not holding my breath,

 

Any idea if it's possible to add multiple IPs for a domain in PiHole local DNS?

 

Dave

  0  
  0  
#7
Options
Re:Flood of DNS requests to NTP server
2020-07-28 07:55:45

@jedimasterjonny    

 

Hello, thanks very much for sharing this valued info in the community and we will soon investigate and fix this in the future firmware update.

 

Good days.

  2  
  2  
#8
Options
Re:Flood of DNS requests to NTP server
2020-11-03 08:29:32

@jedimasterjonny 

 

How can we fix this issue if we don't have pi-hole, if we just have a simple setup:

Internet --> modem --> deco M9 plus --> home 

 

This has been going for almost a year now ... can someone please fix this damn issue already ? 

  0  
  0  
#9
Options
Re:Flood of DNS requests to NTP server
2020-11-03 08:33:10

@TP-Link_Deco 

 

What is the ETA on the firmware that corrects the ntp address ? 

How can we fix it if we don't have a pi-hole ?

  0  
  0  
#10
Options
Re:Flood of DNS requests to NTP server
2020-11-03 08:42:18

I'd like to share that i set the primary DNS to google's 8.8.8.8 and 8.8.4.4 (secondary) and this fixed the problem for me. 

 

In order to do that here's the documentation: https://www.tp-link.com/en/support/faq/1855/ 

  1  
  1  
#11
Options