What is "cap_bn.local" an why is being (massively) queried and then fowarded from/to my Router?

jmordoj · June 5, 2020, 11:05pm

Hi, I think this is very similar question to the "wpad" thing, but I have been searching and can't find information anywhere

I have A LOT of this in the pi-hole log (.local is my network):

Jun 5 18:55:30 dnsmasq[459]: query[A] cap_bn.local from 192.168.50.1
Jun 5 18:55:30 dnsmasq[459]: forwarded cap_bn.local to 192.168.50.1
Jun 5 18:55:30 dnsmasq[459]: query[A] cap_bn.local from 192.168.50.1
Jun 5 18:55:30 dnsmasq[459]: forwarded cap_bn.local to 192.168.50.1
Jun 5 18:55:30 dnsmasq[459]: query[A] cap_bn.local from 192.168.50.1
Jun 5 18:55:30 dnsmasq[459]: forwarded cap_bn.local to 192.168.50.1
Jun 5 18:55:30 dnsmasq[459]: query[A] cap_bn.local from 192.168.50.1
Jun 5 18:55:30 dnsmasq[459]: forwarded cap_bn.local to 192.168.50.1
Jun 5 18:55:30 dnsmasq[459]: query[A] cap_bn.local from 192.168.50.1

Can please sombody help me figuring out what is this about?

Thanks

jfb · June 5, 2020, 11:40pm

It looks like you have a DNS loop here. Router requests the IP, which then goes to router for resolution.

jmordoj · June 5, 2020, 11:55pm

Any idea how to debug (or stop) something like that?

jfb · June 6, 2020, 12:08am

Disable conditional forwarding if it is enabled.

What upstream DNS servers are you using?

jmordoj · June 6, 2020, 1:01am

Ok, I have disabled it, and my upstream DNS is google

I have the log from the Router (Asus RT-AC86U)

Jun  5 19:23:19 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:23:24 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:23:25 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:23:30 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:23:35 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:23:36 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:23:42 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:23:45 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:23:48 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:23:54 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:23:55 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:24:00 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:06 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:24:06 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:12 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:16 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:24:19 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:25 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:26 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:24:30 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:36 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:24:37 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:43 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:46 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:24:49 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:54 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:24:56 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:25:00 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:25:06 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:25:07 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:25:13 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)
Jun  5 19:25:16 wlceventd: WLCEVENTD wlceventd_proc_event(466): eth5: Deauth_ind <mac address Win10 laptop>, status: 0, reason: Class 3 frame received from nonassociated station (7)
Jun  5 19:25:19 dnsmasq[1258]: Maximum number of concurrent DNS queries reached (max: 150)

jfb · June 6, 2020, 1:28am

What is the output of these commands from the Pi terminal?

echo ">stats >quit" | nc localhost 4711

echo ">top-clients >quit" | nc localhost 4711

echo ">top-domains >quit" | nc localhost 4711

jmordoj · June 6, 2020, 8:43pm

Sorry the delay, last night I flushed the logs and DNS so I will have a "cleaner dashboard" afer disabling conditional forwarding, so I waited a couple of hours to have a log with the new changes

Also I generated a debug token: https://tricorder.pi-hole.net/wrsagn4syw

The console comands are:

echo ">stats >quit" | nc localhost 4711

domains_being_blocked 316988
dns_queries_today 19386
ads_blocked_today 5752
ads_percentage_today 29.670897
unique_domains 2019
queries_forwarded 9253
queries_cached 4381
clients_ever_seen 14
unique_clients 14
dns_queries_all_types 19386
reply_NODATA 118
reply_NXDOMAIN 1878
reply_CNAME 4440
reply_IP 13637
privacy_level 0
status enabled

echo ">top-clients >quit" | nc localhost 4711

0 5828 192.168.50.1
1 4242 192.168.50.219
2 3305 192.168.50.171
3 3260 192.168.50.187
4 1673 192.168.50.107
5 649 192.168.50.59
6 302 127.0.0.1 localhost
7 70 192.168.50.93
8 31 192.168.50.114
9 15 192.168.50.63

echo ">top-domains >quit" | nc localhost 4711

0 4935 dns.msftncsi.com
1 1227 cap_bn.katran
2 427 wpad.katran
3 223 imap.gmail.com
4 217 gateway.fe.apple-dns.net
5 168 eas.outlook.com
6 135 us04xmpp1.zoom.us
7 108 prod.http1.us-east-1-sa.prodaa.netflix.com
8 89 chat.cdn.whatsapp.net
9 80 outlook.office365.com

jfb · June 6, 2020, 10:05pm

I don't see anything unusual here.

jmordoj · June 9, 2020, 1:44am

Since I disabled conditional forwarding everything is working much better, (I guess the router wasn't to happy with that set up).

Also, for me its not a big loss, I rarely look the dasboard stats

Thanks (I really love this software), keep the good work!

system · June 30, 2020, 1:52am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.