AIProtection blocking DNS from Synology

[davidology]

I'm using my Synology NAS as my DNS server. Unfortunately, AIProtection is blocking many DNS queries. It's not all DNS queries, mind you, but a number of them.

I have an RT-AC5300 (although I had this same, exact problem with my RT-AC87U). Using 380.60beta2.

Has anyone experienced this? Can you shed any light? Unfortunately, AI Protection has so few options, there's not much of an opportunity to reconfigure it to tell it to ignore this. I've already set it up in DNS to let this MAC address use whatever DNS it wants, but to no avail.

The 208.67.222.222 is OpenDNS's server. I'll get the same error no matter what external DNS I use.

Event number : 1
Alert type : Vulnerability Protection
Rule ID : 1130172
Source : (00:11:32:XX:XX:XX)
Destination : 208.67.222.222

1130172 2016-07-24 17:13:41 00:11:32:XX:XX:XX UDP port 4432 is attacking 208.67.222.222 UDP port 53 ,this action has been blocked.

 

[sfx2000]

Don't run AIProtection if you're running a caching DNS server outside of the router, e.g. on another LAN element - it assumes that the Router is running the DNS, and intercepts from there...

Design issue, and one key reason why I don't run Broadcom SDK routers as my ingress routers any more...

 

[RMerlin]

Don't run AIProtection if you're running a caching DNS server outside of the router, e.g. on another LAN element - it assumes that the Router is running the DNS, and intercepts from there...

Design issue, and one key reason why I don't run Broadcom SDK routers as my ingress routers any more...

What does Broadcom SDK have to do with Trend Micro's AiProtection?

 

[martinr]

.....

Has anyone experienced this? ......

Yes, I have on very rare occasions. I use a Raspberry Pi as a malicious-domain-blocking DNS server and I have seen this eg

1130172 2016-07-10 23:04:05 XX:XX:XX:5F:F9:12 UDP port 11526 is attacking 208.67.222.222 UDP port 53 ,this action has been blocked.


And I might see 4 or 5 such messages in a bunch and then nothing at all for several months.

It gives me a warm feeling that AIProtection is keeping a watchful eye out and I don't take the message literally - i.e. my Raspberry Pi hasn't "gone rogue". I don't know what causes it, but, I don't worry about it, especially now that I know someone else has seen it.

 

[davidology]

Yes, I have on very rare occasions. I use a Raspberry Pi as a malicious-domain-blocking DNS server and I have seen this eg

1130172 2016-07-10 23:04:05 XX:XX:XX:5F:F9:12 UDP port 11526 is attacking 208.67.222.222 UDP port 53 ,this action has been blocked.


And I might see 4 or 5 such messages in a bunch and then nothing at all for several months.

It gives me a warm feeling that AIProtection is keeping a watchful eye out and I don't take the message literally - i.e. my Raspberry Pi hasn't "gone rogue". I don't know what causes it, but, I don't worry about it, especially now that I know someone else has seen it.

I wish mine were that infrequent. Mine are almost constant. As best I can tell from looking at my DNS server logs, it seems to occur when a lot of DNS lookups occur at once. It noticeably slows down DNS resolution in some instances.

 

[martinr]

...,, it seems to occur when a lot of DNS lookups occur at once. .....,,.

Maybe that's the answer: perhaps AIProtection crudely interprets a high rate of DNS lookups as a denial of service attack. Some websites trigger links to literally dozens of other domains (advertisements, trackers and a lot worse). Possibly the reason I get so few of these messages is due to my Pi's blocking most of these secondary domains. You probably know there are apps/programs that list these other domains. You don't have any "ad blocking" in your DNS server then?

 

[sfx2000]

What does Broadcom SDK have to do with Trend Micro's AiProtection?

The baseline broadcom (white box) assumes that the DNS services specified in the WAN connection when configured as NAT are the primary DNS servers - so dnsmasq pushes these out to the clients when they request a DHCP lease - it's easy enough to work around, specify DNS in the client itself to override, but then one runs into interesting things with hairpins and third party apps bundled.

For most, it's desired behavior considering the use-case and target market...but things can and do get interesting when trying to host an internal DNS server when clients are configured by DHCP...

 

[RMerlin]

The baseline broadcom (white box) assumes that the DNS services specified in the WAN connection when configured as NAT are the primary DNS servers - so dnsmasq pushes these out to the clients when they request a DHCP lease - it's easy enough to work around, specify DNS in the client itself to override, but then one runs into interesting things with hairpins and third party apps bundled.

For most, it's desired behavior considering the use-case and target market...but things can and do get interesting when trying to host an internal DNS server when clients are configured by DHCP...

This has absolutely nothing to do with AiProtection...

Your description is incorrect as well. Asuswrt's DHCP pushes the router's own IP to clients, not the WAN name servers. Dnsmasq runs as a caching nameserver on the router, like quite a few Linux distros do nowadays.

 

[sfx2000]

Your description is incorrect as well. Asuswrt's DHCP pushes the router's own IP to clients, not the WAN name servers. Dnsmasq runs as a caching nameserver on the router, like quite a few Linux distros do nowadays.

One of the problems with the internet and web forums is sometimes the context of the post is lost

AsusWRT behaves like the SDK with regards to DNS settings and the like - Broadcom made that change a long time ago - the challenge with AsusWRT and perhaps other builds based on the SDK is that they're dependent on that behavior for many of the vertical features that OEM's add to the SDK.

Even on the Broadcom SDK (which there are two, one is board bringup, which most folks have never seen as it's OEM only, and the other I'll call "router in a box" which is used once HW dev bringup is done).

The "Router in a Box" version - one can still go under the hood and modify NVRAM and configuration files, but it likely will not be reflected in the WebGUI - and depending on what's changed, the WebGUI will either revert those changes or cause serious breakage..

Part of the problem is that it's all script based - and not API based, which makes integration with 3rd party SW/HW a major problem (Quantenna anyone?)...

I'm not complaining - just making an observation...

 

[martinr]

I wish mine were that infrequent. Mine are almost constant. As best I can tell from looking at my DNS server logs, it seems to occur when a lot of DNS lookups occur at once. It noticeably slows down DNS resolution in some instances.

In the past day, I've had these alerts by the hundreds - literally several hundred emails come through in an hour or so.

Since I first replied I upgraded to Windows 10, and it looks as if simply using the Edge browser is the cause. Is it possible that Edge is causing your problem?

 

[davidology]

In the past day, I've had these alerts by the hundreds - literally several hundred emails come through in an hour or so.

Since I first replied I upgraded to Windows 10, and it looks as if simply using the Edge browser is the cause. Is it possible that Edge is causing your problem?

Thanks for the lead. No, I've had the problem occur when I'm the only one on the network on Mac using Chrome. The problem seems to be the AI Protection can't distinguish between legitimate DNS queries. Since I'm running a server behind it, it doesn't seem as if it should block those queries unless they're regarding a blocked domain.

I have a trouble ticket in with ASUS that will hopefully lead to some resolution.

 

[martinr]

On the last test I ran - just opening Edge for a couple of minutes - I got some 1300 duplicate alert emails: they all listed the same 6 events - opening Edge 6 times - over 2 days. After a few hours it stopped and I rebooted the router for good measure.

 

[zoomee]

I have a similar issue with my Synology DS-415+ and my router, but I'm pretty sure its not DNS related:

https://forum.synology.com/enu/viewtopic.php?f=145&t=121875

Since installing the AC-88U I constantly get AIProtection vulnerability messages but it's always port 8080 doing the attacking in my case!

Tried to log a support ticket with Synology - Numpties made me wait over a week to just turn around (and didn't even bother to login to my NAS) and state they won't support my NAS as it has sabnzbd installed - lol!

btw I'm on stock latest firmware - not merlins......

 

[zoomee]

I've updated my post bud - might want to take a look.
I even performed a full reset on the NAS and still getting the same issue.

 

[zoomee]

Had to rebuild my NAS from scratch as Synology wern't interested until I got rid of third party software (sabnzbd in this case).
Full rebuild yesterday and still getting the same reports from AIProtection on my router.
Also left wireshark running overnight and provided logs to Synology who are now investigating......

This might help with your DNS issue though bud: https://forum.pfsense.org/index.php?topic=117611.0