NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
RBR850 frequently issuing DNS REFUSED responses
Had the RBK852 now for just over a month, and have an issue I'll open a support ticket for. Wondered though if others have been experiencing anything similar. Basically and since day 1 after put...
Good Luck. This issue is resolved by the beta thats available.
There's a thread on here that explains exactly what the problem is...dnsmasq is trying to monitor for changes to the resolver configuration, rather than the changes to the resolver merely restarting dnsmasq. Since the filesystem is slow/busy, this constant polling can hang. The busier the router (more devices, more reliant on IPv4), the worse it gets. Using -n for running dnsmasq would fix it (and telling the WebGUI to restart dnsmasq when changing resolvers to account for it).
dnsmasq on the Orbi is SLOWER to resolve addresses than remote resolvers out on the Internet, which it shouldn't be since latency is so minimal. The DNS resolver on your cable modem/router is usually super fast (AND MAY EVEN CACHE!!!!). But dnsmasq isn't caching, hangs when it can't monitor the resolver file, and refuses to look up IP addresses (causing applications to hang, since DNS lookups are a BLOCKING network call!)
Now, the solution is EASY, IF you can get into the telnet mode. And there's two solutions..one, set DNS to something else in the DHCP OPTIONS passed to your devices...best bet, a pi-hole, or just your cable modem itself or a DNS service on the Internet. The other, is to tell dnsmasq to stop polling (-n flag), which should make it faster (although bind w/cache would still be a much better option).
From the debug run:
dnsmasq -h -n -c 0 -N -i br* -r /tmp/resolv.conf -u root
Problems with this:
So, it looks like they're specifying BOTH the -r and -n flags, but this is NOT permitted. Since -r comes after -n, it's possibly overriding the -n selection, since -r is ONLY ALLOWED WHEN POLLING (see below).
-c is given a parameter of 0 ??
-u (It runs as root...so any RCE in dnsmasq is going to give full access to the device) -u is usually used to DOWNGRADE permission.
From the dnsmasq man page:
-h, --no-hosts Don't read the hostnames in /etc/hosts.
-n, --no-poll Don't poll /etc/resolv.conf for changes.
-c --clear-on-reload Whenever /etc/resolv.conf is re-read or the upstream servers are set via DBus, clear the DNS cache. This is useful when new nameservers may have different data than that held in cache.
-N, --no-negcache Disable negative caching. Negative caching allows dnsmasq to remember "no such domain" answers from upstream nameservers and answer identical queries without forwarding them again.
-i, --interface=<interface name>
-r, --resolv-file=<file>Read the IP addresses of the upstream nameservers from <file>, instead of /etc/resolv.conf. For the format of this file see resolv.conf(5). The only lines relevant to dnsmasq are nameserver ones. Dnsmasq can be told to poll more than one resolv.conf file, the first file name specified overrides the default, subsequent ones add to the list. This is only allowed when polling; the file with the currently latest modification time is the one used.
-u, --user=<username> Specify the userid to which dnsmasq will change after startup. Dnsmasq must normally be started as root, but it will drop root privileges after startup by changing id to another user. Normally this user is "nobody" but that can be over-ridden with this switch.
Rich
I have the RBR850 setup and have been dealing with support for a few days now.
My firware is now current at V3.2.17.12_1.4.14
Their solution options which took my 4 people to talk to today to get are:
1. RMA for a refurbished replacement which will not reset the support clock. It will still go off of original purchase date.
2. If the reatiler you purchased from with exchange it, do that.
I really wish I was making this up. I just update my case with a number of community forum links that all state the same issue.
Is anyone haing the issue on my firmware still. I haven't seen it today, but that doesn't mean its fixed.
You can try this:
Been using it and though I have seen a couple of DNS errors here and there, not frequent and seems to help some with this issue. I had not seen this until the time change this past month. Some of this maybe time related as well.
So try it and let us know.
pv_omaha wrote:I have the RBR850 setup and have been dealing with support for a few days now.
My firware is now current at V3.2.17.12_1.4.14
Their solution options which took my 4 people to talk to today to get are:
1. RMA for a refurbished replacement which will not reset the support clock. It will still go off of original purchase date.
2. If the reatiler you purchased from with exchange it, do that.
I really wish I was making this up. I just update my case with a number of community forum links that all state the same issue.
Is anyone haing the issue on my firmware still. I haven't seen it today, but that doesn't mean its fixed.
It's not IPV6. It's DNS.
pv_omaha wrote:I have the RBR850 setup and have been dealing with support for a few days now.
My firware is now current at V3.2.17.12_1.4.14
Their solution options which took my 4 people to talk to today to get are:
1. RMA for a refurbished replacement which will not reset the support clock. It will still go off of original purchase date.
2. If the reatiler you purchased from with exchange it, do that.
I really wish I was making this up. I just update my case with a number of community forum links that all state the same issue.
Is anyone haing the issue on my firmware still. I haven't seen it today, but that doesn't mean its fixed.
Issue isn't fixed. You just won your first few coin tosses.
What really gets me is this is a $1000 router - when there are ones out there that cost half as much ... and actually work.
Just curious...
If I were getting the DNS errors, how would they manifest? And the reason I ask is, as pervasive as this topic / thread would make them seem to be, I'd be having these issues. And maybe I am and just don't realize it. Are there particular conditions / settings that create the problem? If I wanted to recreate the problem and recognize it, how would I go about it?
I have the RBK852 setup with both the router and client computers using IPv4 and IPv6. I am using both Armor and the Traffic Metering and the default Netgear NTP. I have specified the Xfinity DNS as well as my local DNS in the Orbi Internet Setup page for IPv4. My IPv6 DNS are "Get automatically from ISP" in the IPv6 settings. I have briefly tried disabling IPv6 in the router and a client computer to see what difference that makes - didn't seem to make any difference, but I'm not sure how I would know or how long it would take for issues to occur. I usually use Chrome and Edge browsers. We have several computers and dozens of IOT devices connected - 60 or more wired and wireless devices typically. What else? I'm East Coast and my ISP is Xfinity, if that's relevant.
So, my question: if I want to force this issue and observe it, what settings are required to make it happen and how will I know when I see it?
Thanks for indulging me.
The few times I finally saw this after the time change last month was something like whats described here:
https://geeksadvice.com/how-to-fix-dns_probe_finished_nxdomain-error/
I had a capture of mine but I forgot to save it off or I would have posted it here. Sorry about that. Even with custom DNS and 6to4 DNS enabled, my browser saw a few of these DNS errors. Not all the time though. Even on this forum after changing tabs and refreshing the page. Opera GX saw a few of these and either the browser was cable to auto fresh the page after the error appeared, then quickly went away and the page loaded correctly or it was a hard stop error in which the browser stopped and I have to manually refresh the page and then it loaded correctly.
I believe most of the problems were seen when the RBR was using Auto DNS, and no 6to4 DNS configurations.
I believe others have tried both configurations and it has appeared still throughout. I had not seen this whatsoever last year while using same Auto DNS and no 6to4 DNS. I Then graduated to 6to4 DNS last last year and still saw no DNS errors. Only when the time changed last month did they start to appear for me. I'm Pacific Northwest and Spartlight. CM1200 cable modem.
bullm00n wrote:Just curious...
If I were getting the DNS errors, how would they manifest? And the reason I ask is, as pervasive as this topic / thread would make them seem to be, I'd be having these issues. And maybe I am and just don't realize it. Are there particular conditions / settings that create the problem? If I wanted to recreate the problem and recognize it, how would I go about it?
I have the RBK852 setup with both the router and client computers using IPv4 and IPv6. I am using both Armor and the Traffic Metering and the default Netgear NTP. I have specified the Xfinity DNS as well as my local DNS in the Orbi Internet Setup page for IPv4. My IPv6 DNS are "Get automatically from ISP" in the IPv6 settings. I have briefly tried disabling IPv6 in the router and a client computer to see what difference that makes - didn't seem to make any difference, but I'm not sure how I would know or how long it would take for issues to occur. I usually use Chrome and Edge browsers. We have several computers and dozens of IOT devices connected - 60 or more wired and wireless devices typically. What else? I'm East Coast and my ISP is Xfinity, if that's relevant.
So, my question: if I want to force this issue and observe it, what settings are required to make it happen and how will I know when I see it?
Thanks for indulging me.
1.) Quick update for me. Manually updating the firmware, then factory resetting seems to allow a stable upgrade. The problem is that restoring my backed up settings didn't work. So, great to know everytime I upgrade this thing I have to reconfigure my entire network... Did I mention there's no QOS too? This thing is trash.
2.) I couldn't tell you how to reproduce, I'm not doing ANYTHING earth shattering here.... What I can tell you is that it's almost 100% nothing to do with the user config and 100% to do with vendor config of the router. I'm very confident the issue is on the implementation of dnsmasq on the router itself. Even if you are using third party or local DNS, you're still hitting the dnsmasq service hardcoded into the router config. The only way to circumvent it is to override it at a PER CLIENT level on your entire network.....
How you'll see the issue is either with computers thinking they are "not connected to the internet" because they fail basic DNS checks intermittently through the Orbi router OR you'll see web request fail then succeed on re-try.
If you are overriding DNS lookup on your client devices, you'll never see this problem.
The laziest effort NG could put forth to fix this, is to allow the user to disable dnsmasq on the router (other than what they are doing now which is nothing) but they could look at what stupid config option is being invoked to make it fail so easily and fix it that way too.
I'd rather have no caching or manage my own than deal with this garbage implementation.
I will also say that running Pi-hole on my network seems to have helped. It hasnt' fixed the issue entirely but likely because so many types of DNS queries are being dropped, it's making less failures overall through dnsmasq on the Orbi. Maybe anecdotal evidence that the dnsmasq config limits are set low or something along those lines.
Disregard my previous comment about pi-hole now that I think about it, the queries are still going to hit the router first and then pi-hole so it makes no sense that would in any way help with this issue.
Problem still happening for me in V3.2.18.1_1.4.14. Traffic meter turned off, auto DST settings turned off, and to me this appears to be separate from the other issue where dnsmasq completely gives up every so often.
Current setup is pretty simple: CenturyLink gigabit fiber -> RBR850 + 2x RBS850 with a pi-hole box set as the DNS server (problem occurs when using auto dns or other DNS servers, too).
Any chance of NetGear support working with us to track this down and get a real fix in? I get that not everyone is seeing this issue (or noticing it), and that NetGear likely wants to keep dnsmasq set up a particular way for their security product... but there's got to be something they can do to fix this, or at least give owners access to fix this (would love to have ssh/telnet back!).
I'm outside of my refund window and guessing I'll end up having to put together a firewall/router (pfsense or something) and just punt the orbi to AP mode. That's a bummer, since I'd really like to keep things simple.Sadly Netgear support could care less. I have opened two seperate tickets on this issue and just like you was about to be outside of my return window.
They gave two options:
(1) return the "defective hardware" to them and have it replaced with a refrubished one. With zero reguard of the fact you purchased their extremely expensive product and absolutely no guarantee that this would even fix the issue. Which we all know it would not...
(2) retuen it to the retailer and get a different product. This I thought was hilarious, a company telling you to return their product and buy some other company's product.
This is after I sent them numerous links to threads just like this one. They still deny there ia anything wrong. They also absolutely do not monitor this forum in anyway, it is just another way to get customers to "self sooth" so they do not have to actually support their products. Honestly after interacting with their support, not that they could!
Well, ugh. Guess I'm putting pfsense back into the mix!
This issue is well documented. Here is the main thread:
Issue is with the firmware. There is an issue with DNS resolving that Netgear doesn't fix for the Orbi AX (consumer line). It has been fixed in their business Orbi Pro a year ago. Don't expect Netgear to fix this issue.
Only solution is to use the Orbi AX in access point mode with a third party router in front of it. This basically means that the third party router will perform all 'routing' capabilities. While the Orbi AX becomes a dumb node. This is the most economical solution if you cannot return the Orbi AX anymore to the shops. There are no other solutions. The problem is with the firmware (= not a user or configuration issue).
Netgear needs to fix the firmware / DNS issue.
Ok for ALL you 8 series Orbi users, please make contact with Christian_R
Ask for access to Firmware v3.2.18.223. Beta is ready and being made available for those who want to try this version.
"Unknown/Phantom Satellite is showing up in the Orbi App
Netgear logs of Satellite are not collected in GUI debug logs
DNS issues"Once you get the files, update the RBS first then RBR lastly. I would power OFF all units for 30 seconds then back ON. Same with your ISP MODEM/ONT.
If any issues are still seen, you'll need to do a factory reset and clean setup from scratch.
I would encourage for those having DNS issue to give this a try. Seems to be fixed for 7 series users. :smileywink:
Could anybody please help me with getting download access to the
firmware v3.2.18.223
for the rbr850 and rbs850 ?
Please make contact with @Christian_R
kristianreesen wrote:Could anybody please help me with getting download access to the
firmware v3.2.18.223
for the rbr850 and rbs850 ?
