Excessive DNS Requests

Excessive DNS Requests

Excessive DNS Requests
Excessive DNS Requests
2024-10-11 12:26:21 - last edited Friday
Model: Deco XE75 Pro  
Hardware Version:
Firmware Version: 1.2.11 Build 20240724

I have been experiencing issues with my TP-Link router ( TP-Link Deco XE75 Pro ) frequently making excessive DNS requests to Avira subdomains (*.safethings.avira.com) and also DNS root servers (a.root-servers.net) This issue can also be categorized as DNS flood, due to the number of DNS entries. The pattern of these requests aligns with the concerns previously reported by other users.

 

I appreciate the clarification regarding the use of Avira services in HomeShield and the recent software review that identified flaws in the DNS request logic. However, I would like to confirm that this issue IS NOT resolved with the latest firmware update.

 

I would appreciate further guidance on any additional steps I can take to mitigate these mysterious and superfluous DNS requests. Except for disabling the HomeShield features, as these requests continue to occur regardless of that logic.

 

Thank you for addressing this issue.

3 × XE75Pro (v3.0 | 1.2.11)
  4      
  4      
#1
Options
6 Reply
Re:Excessive DNS Requests to Avira Subdomains
2024-10-12 03:30:33

  @CyberHavoc9017 

Hi, Thank you very much for the feedback.

Did you save any screenshots of the excessive DNS requests to Avira subdomains? 

- The previous firmware did fix this issue and I haven't seen similar feedback ever since.

(There was other feedback about excessive DNS requests but it is not only for Avira/HomeShield. The online internet detection of Deco will also need DNS inquiry to some online domains, like amazon.com,reddit.com, etc.)

 

Wait for your reply and best regards.

  1  
  1  
#2
Options
Re:Excessive DNS Requests to Avira Subdomains
2024-10-13 02:28:26

  @David-TP 

 

Thank you for your response.

 

I did save a screenshot of the excessive DNS requests to Avira subdomains during the last 24 hours.

 

That's 419 requests an hour. 7 requests a minute.

 

Despite the firmware update, I haven't noticed a reduction in these requests.

3 × XE75Pro (v3.0 | 1.2.11)
  2  
  2  
#3
Options
Re:Excessive DNS Requests to Avira Subdomains
2024-10-14 08:58:26 - last edited 2024-10-19 16:17:20

  @CyberHavoc9017 

Hi, Thank you very much for the update

I've checked with the senior engineers and the current DNS frequency is within the reasonable range, which is far from being called the DNS flood.
Ast-dual.safethings.avira.com is used for "Real-Time IoT Protection" under Network Security. To ensure the accuracy of the detection, it is necessary to keep a certain amount of DNS requests.

Thanks again and best regards.

  1  
  1  
#4
Options
Re:Excessive DNS Requests to Avira Subdomains
2024-10-19 16:12:05 - last edited 2024-10-19 21:23:31

  @David-TP 

 

I would like to get some clarification regarding certain domains that seem to generate a lot of DNS queries on my network. Specifically, I am blocking the following domains:

  • a.root-servers.net
  • *.safethings.avira.com
  • bing.com
  • youtube.com
  • www.netflix.com
  • reddit.com
  • live.com
  • *.tplinkcloud.com

 

My question is: Will blocking these domains negatively affect any essential functions, such as internet connectivity, device security, firmware update or any other TP-Link services? I’m trying to minimize unnecessary DNS queries but want to ensure I’m not breaking anything critical in the process.

 

Thanks in advance for your assistance!

3 × XE75Pro (v3.0 | 1.2.11)
  1  
  1  
#5
Options
Re:Excessive DNS Requests
3 weeks ago - last edited Friday

@David-TP

 

I would appreciate a solid answer, regarding what kind of data you are sharing with these domains.

 

To me it seems like the deco firmware is loaded with spyware. However, that might be the case with any products manufactured in China.

 

Fool me once, shame on you; fool me twice, shame on me.

3 × XE75Pro (v3.0 | 1.2.11)
  2  
  2  
#6
Options
Re:Excessive DNS Requests
3 weeks ago - last edited 3 weeks ago

  @CyberHavoc9017 

Hi, Thank you very much for your time and patience.

  • *.safethings.avira.com is used for  "Real-Time IoT Protection" under Network Security.
  • *.tplinkcloud.com is to maintain a constant connection on the Deco APP.

 

For the following DNS domains:

  • bing.com
  • youtube.com
  • www.netflix.com
  • reddit.com
  • live.com

These domains are meant for the Deco online network detection and Deco didn't share any data with those domains. Blocking those domains would not interfere with the internet access but the LED would turn red due to online detection failure.

 

If you have further security concerns, It is highly suggested to reach out to security@tp-link.com. The responsible engineers will provide you with more details and offer further assistance.

Thanks a lot and best regards.

 

  1  
  1  
#7
Options