DoT setup: some traffic over port 53 (trend micro.com)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Chuckles67

Regular Contributor
Using Asus AC66U-B1 with Merlin 384.17.

WAN > DoT setup using the DNS Privacy wiki to Cloudflare DNS servers; LAN > DNSFilter set to "Router" with no Client List entries. I'm using AiProtection/Trend Micro to enable Adaptive QoS with FreshJR script installed.

Using tcpdump to inspect traffic on WAN: I'm seeing very occasional traffic on port 53 to what looks like trend micro servers. Is this normal or expected router traffic?

Code:
[email protected]_B1-8300:/tmp/home/root# tcpdump -i eth0 -p port 53 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:19:35.509133 IP XX.XX.XXX.XXX.43971 > 1.1.1.1.53: 162+ AAAA? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
14:19:35.520725 IP 1.1.1.1.53 > XX.XX.XXX.XXX.43971: 162 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (260)
14:19:35.521151 IP XX.XX.XXX.XXX.59361 > 1.1.1.1.53: 163+ AAAA? gslb6.fbs.trendmicro.com.akadns.net. (53)
14:19:35.531077 IP 1.1.1.1.53 > XX.XX.XXX.XXX.59361: 163 4/0/0 CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (219)
14:19:35.531500 IP XX.XX.XXX.XXX.56413 > 1.1.1.1.53: 164+ AAAA? aws-prod.fbs25.trendmicro.com. (47)
14:19:35.542301 IP 1.1.1.1.53 > XX.XX.XXX.XXX.56413: 164 3/0/0 CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (167)
14:19:35.542754 IP XX.XX.XXX.XXX.34718 > 1.1.1.1.53: 165+ AAAA? fbs.prod.spn.a1q7.net. (39)
14:19:35.553718 IP 1.1.1.1.53 > XX.XX.XXX.XXX.34718: 165 2/0/0 AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (116)
14:19:35.554582 IP XX.XX.XXX.XXX.37235 > 1.1.1.1.53: 166+ A? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
14:19:35.568129 IP 1.1.1.1.53 > XX.XX.XXX.XXX.37235: 166 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., A 44.233.111.149, A 44.233.140.104 (236)
14:19:35.866671 IP XX.XX.XXX.XXX.41884 > 1.1.1.1.53: 167+ AAAA? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
14:19:35.882494 IP 1.1.1.1.53 > XX.XX.XXX.XXX.41884: 167 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (260)
14:19:35.883264 IP XX.XX.XXX.XXX.37231 > 1.1.1.1.53: 168+ AAAA? gslb6.fbs.trendmicro.com.akadns.net. (53)
14:19:35.893925 IP 1.1.1.1.53 > XX.XX.XXX.XXX.37231: 168 4/0/0 CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (219)
14:19:35.894578 IP XX.XX.XXX.XXX.49116 > 1.1.1.1.53: 169+ AAAA? aws-prod.fbs25.trendmicro.com. (47)
14:19:35.906899 IP 1.1.1.1.53 > XX.XX.XXX.XXX.49116: 169 3/0/0 CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (167)
14:19:35.907465 IP XX.XX.XXX.XXX.51696 > 1.1.1.1.53: 170+ AAAA? fbs.prod.spn.a1q7.net. (39)
14:19:35.918196 IP 1.1.1.1.53 > XX.XX.XXX.XXX.51696: 170 2/0/0 AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (116)
14:19:35.918997 IP XX.XX.XXX.XXX.55353 > 1.1.1.1.53: 171+ A? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
14:19:35.930381 IP 1.1.1.1.53 > XX.XX.XXX.XXX.55353: 171 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., A 44.233.140.104, A 44.233.111.149 (236)

(XX.XX.XXX.XXX is my WAN IP)
 
Last edited:

ColinTaylor

Part of the Furniture
Using tcpdump to inspect traffic on WAN: I'm seeing very occasional traffic on port 53 to what looks like trend micro servers. Is this normal or expected router traffic?
Yes. In the recommended configuration LAN clients use DoT but the router still uses normal DNS (otherwise it may fail to boot properly).
 

JJohnson1988

Occasional Visitor
It's only the AiProtection feature that does this (at least from what I've noticed). Since I don't need this feature to contact the Trend Micro servers, I was able to stop these non-DoT requests by setting the WAN DNS server to 192.168.50.1. This way DoT continues to work properly and the request over port 53 never actually happens.
 

dave14305

Part of the Furniture
It's only the AiProtection feature that does this (at least from what I've noticed). Since I don't need this feature to contact the Trend Micro servers, I was able to stop these non-DoT requests by setting the WAN DNS server to 192.168.50.1. This way DoT continues to work properly and the request over port 53 never actually happens.
It’s probably better to set Tools / Other Settings page “Wan: Use local caching DNS server as system resolver” to Yes instead of misusing the WAN DNS fields.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top