Bad DNS Query errors on router from Wireless Subet

ccisco630
Here to help

Bad DNS Query errors on router from Wireless Subet

Running a Meraki wireless network with a secure SSID for staff.  The Meraki AP has an IP address on the secure subnet which is permitted on the WAN.  For DNS we have the primary set to an internal DNS server and secondary set as 8.8.8.8, to satisfy both the Secure SSID and guest SSID name resolution queries.  The DHCP scope on the router for the secure wireless subnet has a DNS entry of the default router for that network.  In the router logs, I am seeing sets of these every day:


007515: Dec 19 10:07:15.439 EST: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.203.2.2
007516: Dec 19 10:07:15.439 EST: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.203.2.2
007517: Dec 19 10:07:15.571 EST: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.203.2.2
007518: Dec 19 10:07:15.571 EST: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.203.2.2
007519: Dec 19 10:07:15.627 EST: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.203.2.2
007520: Dec 19 10:07:15.631 EST: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.203.2.2
007521: Dec 19 10:07:16.615 EST: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.203.2.2
007522: Dec 19 10:07:16.615 EST: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.203.2.2

 

That is the IP address of my AP.  What could be causing these errors?  All is working as it should for staff and guest access, but would like to get to the bottom of these errors.  Thanks!

9 REPLIES 9
BrechtSchamp
Kind of a big deal

What are the DNS settings for the AP? Because I know it uses DNS for its cloud connection:

 

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Alert%3A_This_device_is_having_difficul...

 

Is it possible that your router is handing out an IP address to the AP and at the same time it's own IP address as DNS server instead of your real DNS server or 8.8.8.8?

On the AP I have an internal DNS server set as Primary and then 8.8.8.8 as secondary.  That could be the case, as the router is the gateway for the AP, and has that gateway address (10.203.2.1 in this instance) in the DHCP scope for that subnet.  But when I remove that DNS configuration or change it to the internal IP or 8.8.8.8 in the DHCP scope for that subnet, I can't get to any external or internal websites.

Just checking to see if I understood correctly:

  • So the clients get their DNS settings from the router over DHCP?
  • And the router is setup to hand out it's own IP (10.203.2.1) as DNS server?
  • The router itself is configured to use your internal DNS and 8.8.8.8?
  • The AP is set to fixed IP settings? Or DHCP?

 

Can you check if your can ping your DNS server from the AP and also if it's name resolution actually works using the live tools:

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Using_the_MR_Live_Tool

Yes, clients get their DNS settings from the router over DHCP.

The router's DNS config for that wireless subnet is 10.203.2.1, which is also that subnet's default-gateway/router.

The router itself has a config line of ip name-server listing 2 internal DNS servers and 8.8.8.8

The AP is setup in Dashboard with the internal DNS first, and 8.8.8.8 second.

I am able to ping the internal DNS from the AP in Dashboard, and name resolution does appear to be taking place, but I still get a flurry of those errors throughout the day.

 

I really appreciate the help on figuring this out.

 

It's a bit strange that the router gets DNS requests from the AP if the AP is not setup to use the router as DNS server.

 

From your comment about the clients getting their IP from the router over DHCP I take I conclude that the AP is in bridge mode, so those DNS requests can't be NATed client requests either.

 

My next step would be to do a packet capture on the AP's uplink and filter it for DNS queries going to the router to see what they are with wireshark.

 

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Packet_Capture_Overv...

It appears that name resolution is being provided by all three configured, the internal DNS, 8.8.8.8, and the default-router for the subnet.  Here is a sample of the Wireshark output on the uplink from the AP to the router.  I got another flurry of those errors at 12:12-12:13, and that is all for the day thus far.DNSissue_wiresharkDec21.JPG

Okay, the behavior is as expected.

 

The clients are indeed sending their requests to the router 10.203.2.1.

 

The AP is sending requests to both 10.1.31.25 (I assume this is the internal DNS server) and 8.8.8.8.

 


@ccisco630 wrote:

 I got another flurry of those errors at 12:12-12:13, and that is all for the day thus far.


Do you mean that the errors are not continuous? From you first log I kind of assumed they were continuous as they  came in so close to each other.

 

It'll be harder to diagnose if they happen randomly and infrequently. Port mirroring could help to make captures for a longer time than the 20 min max supported by the dashboard.

weedy84
Just browsing

hello all,

 

I have same problem, i read same error on my cisco router, but i have Ruckus unleashed wireless network...

 

i have that one time in day every one or two days:

Apr 7 22:42:02.515: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:42:07.523: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:42:12.799: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:42:17.803: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:42:22.807: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:42:27.811: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:42:32.811: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:42:37.815: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:42:43.039: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:56:04.448: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:56:09.448: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:56:14.452: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:56:19.676: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:56:24.680: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:56:29.681: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:56:34.685: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:56:39.685: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 22:56:44.689: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 23:51:38.155: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 23:51:43.159: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 23:51:48.383: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 23:51:53.387: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 23:51:58.387: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 23:52:03.395: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 23:52:08.395: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8
Apr 7 23:52:13.403: %DNSSERVER-3-BADQUERY: Bad DNS query from 10.1.0.8

weedy84
Just browsing

look if you can register your material...

 

Please be advised that products will periodically connect to Meraki

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels