It looks like this was something weird the 582n was doing, reply 13 is presumably a list or frequently or recently looked up hostnames. DNS servers aren't specified or accessed by hostnames (obviously), so it shouldn't really matter what ntp.plus.net resolves to, except for using ntp.plus.net as a NTP server.

Hmm, interesting thought. Recent might be a possibility, certainly won't be frequent though - I don't frequently look at Alex's TBB monitor or most of the other stuff, but that doesn't explain why npr's list only had the one entry.
Edit: looks as though it's Recent Failed lookups! But where's the rest of the list? Limited buffer size? Anyway of expanding it?
Not sure how to interpret this lot!
>dns server debug stats
Corrupted packets received       :         0
Local questions resolved         :        88
Local negative answers sent      :        16
Total DNS packets forwarded      :     12738
Total DNS packets TCP forwarded  :        12
External answers received        :      6166
Spoofed responses                :       219
Forward table full, discard      :         0
TCP Forward table full, discard  :         0
TCP connection timeout           :         0
Spurious answers                 :        20
Unknown query types              :         0

Interesting, I ran the CLI command =>dns server debug spoof update
and now I've got
=>:dns server debug spoof list
Spoof IP          FQDN                        Real IP          Flags
198.18.1.65      www.ign.com ;                 23.62.53.115
198.18.1.66      www.askmen.com ;             23.62.53.51
198.18.1.67      ajax.googleapis.com          173.194.66.95
198.18.1.68      www.pcmag.com ;               23.62.53.49
198.18.1.69      ajax.microsoft.com          213.199.148.161
198.18.1.70      www8.pcmag.com              23.62.53.49
198.18.1.71      www2.pcmag.com              23.62.53.49
198.18.1.72      www4.pcmag.com              23.62.53.90
198.18.1.73      www1.pcmag.com              23.62.53.49
198.18.1.74      common.ziffdavisinternet.com 23.62.53.90
198.18.1.75      ssl.gstatic.com              173.194.34.79
198.18.1.76      promos.mcafee.com            161.69.13.29
198.18.1.77      housecall.trendmicro.com    23.62.53.106
198.18.1.78      usertools.plus.net          84.92.0.74
198.18.1.79      books.google.co.uk          173.194.34.78
198.18.1.80      www.plus.net ;               212.159.8.2
198.18.1.81      community.plus.net          212.159.8.110
198.18.1.82      ping.chartbeat.net          184.73.248.250
198.18.1.83      www.metoffice.gov.uk ;       23.62.53.73
198.18.1.84      sprites.pcpro.co.uk          54.230.3.94
198.18.1.85      content.dl-rms.com          12.130.81.215
198.18.1.86      www.google.com ;             74.125.132.104
198.18.1.87      w.sharethis.com              23.62.53.114
198.18.1.88      d3c3cq33003psk.cloudfront.net 54.230.2.85
198.18.1.89      ntp.plus.net                212.159.6.10
198.18.1.90      bqm.alexhoulton.co.uk        212.159.61.116
198.18.1.91      www.trendmicro.fi ;           23.62.53.106
198.18.1.92      www.speedtouch.ca ;           74.122.135.42
198.18.1.61      www.geek.com ;               23.62.53.99
198.18.1.62      mobile.pcmag.com            93.184.221.101
198.18.1.63      blogs.pcmag.com              23.62.53.64
198.18.1.64      www.computershopper.com ;     23.62.53.74
Also, I assume the following is normal settings
[ dnsc.ini ]
config timeout=5 retry=4 search=enabled trace=disabled
dnsadd addr=127.0.0.1 port=53
[ dnss.ini ]
config domain=lan timeout=15 suppress=0 state=enabled trace=disabled syslog=disabled WANDownSpoofing=enabled WDSpoofedIP=198.18.1.0 filter=disabled
host add name=dsldevice addr=0.0.0.0 addr6=:: ttl=1200

Quote from: Anotherone

@npr Your TG582n must be broken

Could be
Out of interest if you run the command "dns server debug spoof update" that puts some real IP's in the list.
This is what I got.
dns server debug spoof list
Spoof IP          FQDN                         Real IP          Flags
198.18.1.1       ntp.plus.net                 0.0.0.0          Not resolved
dns server debug spoof update
dns server debug spoof list
Spoof IP          FQDN                         Real IP          Flags
198.18.1.1       ntp.plus.net                 212.159.13.49

I'm guessing names get on that list when they don't resolve, looks like they may stay there for ever.
As I use my own resolver, the only look up the router does is ntp.plus.net. Also that look up is done when the router is booting up and before the internet is up, this may explain why it's in my list.
Why are all those names in your list, do they indicate past dns issues?
@Anotherone
Sorry I missed your above post, don't know how. 

Matt knows what's going on here and will update us

On my TG582n I just get this
{admin}=>dns server debug spoof list
Spoof IP          FQDN                        Real IP          Flags
198.18.1.1      acs.plus.net                212.159.8.52
{admin}=>dns server debug spoof update
{admin}=>dns server debug spoof list
Spoof IP          FQDN                        Real IP          Flags
198.18.1.1      acs.plus.net                212.159.8.52
{admin}=>
BUT - I don't use the DNS server on the router as I have it set up on the computers

It's not acting as a poxy server is it?

You can turn WANDownSpoofing off.

Quote from: jelv

It's not acting as a poxy server is it?

Is that a reflection on the Plusnet servers or the rubbish router 

Quote from: SuperZoom

You can turn WANDownSpoofing off.

dns server config WANDownSpoofing=disabled

Quote from: Oldjim

BUT - I don't use the DNS server on the router as I have it set up on the computers

The routers uses it's own dns client, which in turn will use PN's dns, for looking up such things as time servers, cwmp servers etc..
I'm guessing acs.plus.net is their cwmp server (mother ship   ) 

You are spot on there I reckon with the ACS npr.

Quote from: npr

I'm guessing names get on that list when they don't resolve, looks like they may stay there for ever. As I use my own resolver, the only look up the router does is ntp.plus.net. Also that look up is done when the router is booting up and before the internet is up, this may explain why it's in my list. Why are all those names in your list, do they indicate past dns issues?

They definitely get on the list when they don't resolve, there's even one more been added between last nights post and earlier today, when there was a failed look up, not sure why it occurred, I did notice a page didn't load first time - just one of those odd events that seem difficult to track.
I think they do stay there for ever, but because of the limited cache size? only the last 32 are there. Most of those were from the circa 15 minutes last night as far as I can tell.

Quote from: Oldjim

Quote from: jelv It's not acting as a poxy server is it? Is that a reflection on the Plusnet servers or the rubbish router

Absolutely no comment

Quote from: Kelly

Matt knows what's going on here and will update us

Look forward to his input Kelly, thanks.

Question (not given it any thought yet) - How might one tell if it's the Router dns client failing, or Plusnet's DNS servers?

@npr
Thinking of running the CLI command <dns server config domain=lan syslog=enabled> which presumably would get some timestamps on these in the future in the Event log.
I wish I knew how many entries each log was limited to and whether it could be increased!
Edit: typo in CLI command