1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DoT setup: some traffic over port 53 (trend micro.com)

Discussion in 'Asuswrt-Merlin' started by Chuckles67, Jun 2, 2020.

  1. Chuckles67

    Chuckles67 Occasional Visitor

    Joined:
    Apr 22, 2017
    Messages:
    49
    Location:
    California
    Using Asus AC66U-B1 with Merlin 384.17.

    WAN > DoT setup using the DNS Privacy wiki to Cloudflare DNS servers; LAN > DNSFilter set to "Router" with no Client List entries. I'm using AiProtection/Trend Micro to enable Adaptive QoS with FreshJR script installed.

    Using tcpdump to inspect traffic on WAN: I'm seeing very occasional traffic on port 53 to what looks like trend micro servers. Is this normal or expected router traffic?

    Code:
    [email protected]_B1-8300:/tmp/home/root# tcpdump -i eth0 -p port 53 -n
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    14:19:35.509133 IP XX.XX.XXX.XXX.43971 > 1.1.1.1.53: 162+ AAAA? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
    14:19:35.520725 IP 1.1.1.1.53 > XX.XX.XXX.XXX.43971: 162 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (260)
    14:19:35.521151 IP XX.XX.XXX.XXX.59361 > 1.1.1.1.53: 163+ AAAA? gslb6.fbs.trendmicro.com.akadns.net. (53)
    14:19:35.531077 IP 1.1.1.1.53 > XX.XX.XXX.XXX.59361: 163 4/0/0 CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (219)
    14:19:35.531500 IP XX.XX.XXX.XXX.56413 > 1.1.1.1.53: 164+ AAAA? aws-prod.fbs25.trendmicro.com. (47)
    14:19:35.542301 IP 1.1.1.1.53 > XX.XX.XXX.XXX.56413: 164 3/0/0 CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (167)
    14:19:35.542754 IP XX.XX.XXX.XXX.34718 > 1.1.1.1.53: 165+ AAAA? fbs.prod.spn.a1q7.net. (39)
    14:19:35.553718 IP 1.1.1.1.53 > XX.XX.XXX.XXX.34718: 165 2/0/0 AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (116)
    14:19:35.554582 IP XX.XX.XXX.XXX.37235 > 1.1.1.1.53: 166+ A? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
    14:19:35.568129 IP 1.1.1.1.53 > XX.XX.XXX.XXX.37235: 166 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., A 44.233.111.149, A 44.233.140.104 (236)
    14:19:35.866671 IP XX.XX.XXX.XXX.41884 > 1.1.1.1.53: 167+ AAAA? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
    14:19:35.882494 IP 1.1.1.1.53 > XX.XX.XXX.XXX.41884: 167 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (260)
    14:19:35.883264 IP XX.XX.XXX.XXX.37231 > 1.1.1.1.53: 168+ AAAA? gslb6.fbs.trendmicro.com.akadns.net. (53)
    14:19:35.893925 IP 1.1.1.1.53 > XX.XX.XXX.XXX.37231: 168 4/0/0 CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (219)
    14:19:35.894578 IP XX.XX.XXX.XXX.49116 > 1.1.1.1.53: 169+ AAAA? aws-prod.fbs25.trendmicro.com. (47)
    14:19:35.906899 IP 1.1.1.1.53 > XX.XX.XXX.XXX.49116: 169 3/0/0 CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (167)
    14:19:35.907465 IP XX.XX.XXX.XXX.51696 > 1.1.1.1.53: 170+ AAAA? fbs.prod.spn.a1q7.net. (39)
    14:19:35.918196 IP 1.1.1.1.53 > XX.XX.XXX.XXX.51696: 170 2/0/0 AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (116)
    14:19:35.918997 IP XX.XX.XXX.XXX.55353 > 1.1.1.1.53: 171+ A? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
    14:19:35.930381 IP 1.1.1.1.53 > XX.XX.XXX.XXX.55353: 171 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., A 44.233.140.104, A 44.233.111.149 (236)
    (XX.XX.XXX.XXX is my WAN IP)
     
    Last edited: Jun 2, 2020
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,114
    Location:
    UK
    Yes. In the recommended configuration LAN clients use DoT but the router still uses normal DNS (otherwise it may fail to boot properly).
     
  3. Chuckles67

    Chuckles67 Occasional Visitor

    Joined:
    Apr 22, 2017
    Messages:
    49
    Location:
    California
    Thanks Colin.
     
  4. JJohnson1988

    JJohnson1988 Occasional Visitor

    Joined:
    Dec 28, 2018
    Messages:
    14
    It's only the AiProtection feature that does this (at least from what I've noticed). Since I don't need this feature to contact the Trend Micro servers, I was able to stop these non-DoT requests by setting the WAN DNS server to 192.168.50.1. This way DoT continues to work properly and the request over port 53 never actually happens.
     
  5. dave14305

    dave14305 Part of the Furniture

    Joined:
    May 19, 2018
    Messages:
    3,415
    Location:
    USA
    It’s probably better to set Tools / Other Settings page “Wan: Use local caching DNS server as system resolver” to Yes instead of misusing the WAN DNS fields.
     
    JJohnson1988 likes this.
  6. JJohnson1988

    JJohnson1988 Occasional Visitor

    Joined:
    Dec 28, 2018
    Messages:
    14
    That's not a bad idea. I hadn't thought of that. Thanks.