Firmware/Router Causes Excessive and Unwanted DNS Queries to www.wordpress.com

[explain-appendix-length]

RT-X3000 running 388.2_2
I have Nextdns.io configured and have been seeing excessive connections to wordpress.com, specifically www.wordpress.com.
In the System logs I do find:

dnsmasq[2243]: possible DNS-rebind attack detected: wordpress.com

But there are no active connections to www.wordpress.com (192.0.78.13)

• To better isolate, I disabled all wifi, had no lan connections with the router by itself.
• Monitor nextdns logs for this profile (profile for this router/device only ) it logs www.wordpress.com attempts (which I blocked) every SECOND, Two attempts.

I then power off the router, and monitor nextdns logs via cell connection on mobile
No more connection attempts to www.wordpress.com

Two Issues here:

1. Why is the firmware (does not happen with Asus stock firmware) attempt to connect to www.wordpress.com TWICE every second?
2. A grave security issue is why does the system or active connection log NOT display connections from the router? Specifically this traffic?

Rant:

• Seems like a real sketchy activity
• Searched the source (on github) for any calls to www.wordpress.com, could find none
• WTH is going on with that??

Anyone have an idea?
I have been tracking this down for a few weeks and finally found the time to just disable everything on the AP and do some testing.
I am updating to RT-AX58U_3004_388.4_0.zip and will see if that has any changes regarding this traffic.

 

[RMerlin]

Why is the firmware (does not happen with Asus stock firmware) attempt to connect to www.wordpress.com TWICE every second?

Nothing in the firmware does. Unless you installed something on the router that does, this most likely comes from a client on your network.

A grave security issue is why does the system or active connection log NOT display connections from the router? Specifically this traffic?

A DNS query does not imply an active connection. It's just that - a query to resolve the IP address of the hostname.

 

[Viktor Jaep]

RT-X3000 running 388.2_2
I have Nextdns.io configured and have been seeing excessive connections to wordpress.com, specifically www.wordpress.com.
In the System logs I do find:

Sometimes these rebind attacks are false positives... search these forums on what command you can use to ignore these "attacks".

1. A grave security issue is why does the system or active connection log NOT display connections from the router? Specifically this traffic?

You could give RTRMON a shot... it will display the top 10 inbound/outbound connections...

Rant:

• Seems like a real sketchy activity

Or a false positive. For me, I kept getting these attacks for Plex Media services... but I am running a plex server on the network.

 

[explain-appendix-length]

Checked logs at nextdns, every 5 seconds, 2 attempts. 12 minute. WTF is going on???
Update to 388.4, issue still persists.
Is it trying to contact for some gravitar icon or something? the Merlin graphic?

How has no one every seen this before? Talk about chatty!

 

[RMerlin]

Checked logs at nextdns, every 5 seconds, 2 attempts. 12 minute. WTF is going on???
Update to 388.4, issue still persists.
Is it trying to contact for some gravitar icon or something? the Merlin graphic?

How has no one every seen this before? Talk about chatty!

Have you actually read my reply?

 

[explain-appendix-length]

The device is NAT'ed on a Carrier Grade NAT. A bind attempt to an NAT'ed IP is very very unlikely.
This is a stock install of Merlin, there are no hacks on the router, no modifications only configuration from the UI.
I can understand if a client was involved. WIFI Disabled, Zero LAN Connections, the Router isolated by it self generates the traffic.
"Ignoring" the attacks don't reduce the actual traffic, at every 5 seconds, twice per instance.
Asus Stock firmware does not cause the traffic, that also pokes holes in the "attack" vector.

 

[explain-appendix-length]

Have you actually read my reply?

Posted before I refreshed, answered in my next post.
Did you read my post? "most likely comes from a client on your network."
I articulated there are no clients connected.

 

[explain-appendix-length]

Sometimes these rebind attacks are false positives... search these forums on what command you can use to ignore these "attacks".


You could give RTRMON a shot... it will display the top 10 inbound/outbound connections...


Or a false positive. For me, I kept getting these attacks for Plex Media services... but I am running a plex server on the network.

I will look at RTRMON.
I could expect a false positive from a client, but with no clients connected, wifi off, and no lan connections, it seems totally internal to the device.

 

[RMerlin]

Posted before I refreshed, answered in my next post.
Did you read my post? "most likely comes from a client on your network."
I articulated there are no clients connected.

The word "wordpress" doesn't exist in the firmware code, outside of in a dropdown menu on the Network Analysis page where you can manually run a ping/traceroute to it.

merlin@ubuntu-dev:~/amng/release/src/router$ grep wordpress * -rs
dnsmasq/contrib/Solaris10/README-sparc:http://ejesconsulting.wordpress.com/2010/05/12/gnu-dnsmasq-for-opensolaris-sparc/
ffmpeg/libavcodec/texturedspenc.c:     * fgiesen.wordpress.com/2009/12/15/dxt5-alpha-block-index-determination */
samba-3.5.8/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml:    http://holger123.wordpress.com/smb-traffic-analyzer/
samba-3.5.8/docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html:    http://holger123.wordpress.com/smb-traffic-analyzer/
samba-3.6.x_opwrt/source/docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html:    http://holger123.wordpress.com/smb-traffic-analyzer/
samba-3.6.x_opwrt/source/docs-xml/manpages-3/vfs_smb_traffic_analyzer.8.xml:    http://holger123.wordpress.com/smb-traffic-analyzer/
samba-3.6.x_opwrt/source/WHATSNEW.txt:http://holger123.wordpress.com/smb-traffic-analyzer/
tor/doc/HACKING/CodingStandards.md:complexities](https://randomascii.wordpress.com/2012/04/05/floating-point-complexities/).
tor/doc/HACKING/CodingStandards.md:point](https://randomascii.wordpress.com/category/floating-point/) is
www/sysdep/FUNCTION/ROG_UI/Main_Analysis_Content.asp:        ["Яндекс", "www.yandex.ru"], ["WordPress", "www.wordpress.com"], ["ВКонтакте", "www.vk.com"]
www/Main_Analysis_Content.asp:        ["Яндекс", "www.yandex.ru"], ["WordPress", "www.wordpress.com"], ["ВКонтакте", "www.vk.com"]
merlin@ubuntu-dev:~/amng/release/src/router$

 

[Viktor Jaep]

Posted before I refreshed, answered in my next post.
Did you read my post? "most likely comes from a client on your network."
I articulated there are no clients connected.

possible DNS-rebind attack detected

A whole bunch of lines like this in log. What does it mean? Mar 25 13:01:23 dnsmasq[11170]: possible DNS-rebind attack detected: googlecm.hit.gemius.pl Mar 25 13:01:24 dnsmasq[11170]: possible DNS-rebind attack detected: googlecm.hit.gemius.pl Mar 25 13:01:33 dnsmasq[11170]: possible...

www.snbforums.com

 

[Viktor Jaep]

I will look at RTRMON.
I could expect a false positive from a client, but with no clients connected, wifi off, and no lan connections, it seems totally internal to the device.

Do you have AiProtection enabled by chance?

 

[explain-appendix-length]

The word "wordpress" doesn't exist in the firmware code, outside of in a dropdown menu on the Network Analysis page where you can manually run a ping/traceroute to it.

www/sysdep/FUNCTION/ROG_UI/Main_Analysis_Content.asp:        ["Яндекс", "www.yandex.ru"], ["WordPress", "www.wordpress.com"], ["ВКонтакте", "www.vk.com"]
www/Main_Analysis_Content.asp:        ["Яндекс", "www.yandex.ru"], ["WordPress", "www.wordpress.com"], ["ВКонтакте", "www.vk.com"]
merlin@ubuntu-dev:~/amng/release/src/router$

Snip

I agree with you, it was the second bullet point in my Rant.

This is why I took the time to post, as this is not behavior or traffic I would expect, as I searched the code and found nothing other than the dropdown either.

I have tested going back to Asus Stock and the traffic is not there.

Not sure what else to dig at outside of RTRMON

 

[explain-appendix-length]

Do you have AiProtection enabled by chance?

I do not have AiProtection enabled.

 

[explain-appendix-length]

possible DNS-rebind attack detected

A whole bunch of lines like this in log. What does it mean? Mar 25 13:01:23 dnsmasq[11170]: possible DNS-rebind attack detected: googlecm.hit.gemius.pl Mar 25 13:01:24 dnsmasq[11170]: possible DNS-rebind attack detected: googlecm.hit.gemius.pl Mar 25 13:01:33 dnsmasq[11170]: possible...

www.snbforums.com

Whole bunch of lines in the log (of the traffic)

 

[explain-appendix-length]

And thank you both for quick response. This has been boggling me for a few weeks.

 

[ColinTaylor]

At one time www.wordpress.com was one of the possible targets for Network Monitoring. Go to Administration - System > Network Monitoring, tick Ping and choose www.google.com. Apply that change and see if the wordpress queries stop.

 

[explain-appendix-length]

At one time www.wordpress.com was one of the possible targets for Network Monitoring. Go to Administration - System > Network Monitoring, tick Ping and choose www.google.com. Apply that change and see if the wordpress queries stop.

Thank you. That was it.
I never honestly don't remember enabling that. I unchecked ping and DNS Query.
DNS query seems to happen every 5 seconds when ping is enabled (dns query is not to wordpress, but to a differnet domain)
DNS query seems to happen every 1min when ping is DISABLED.

This solves the problem. Thank you for leading me to that trail.
If I enabled it, I simply don't remember.

Still strange that the router itself does not show an active connection, or anything in connection log.
Also the dns-rebind for that function is strange.

 

[ColinTaylor]

Also the dns-rebind for that function is strange.

I think you said you had "blocked" that domain in NextDNS? In which case NextDNS will be the cause of the rebind warning. See here.

 

[RMerlin]

Still strange that the router itself does not show an active connection, or anything in connection log.

That's because there never was any. The DNS query was sent to NextDNS, which returned a private IP, causing the ping packet to never be sent, as the router never knew what the wordpress.com IP was. Even if it did tho, there would still not be any connection, because it would only have sent an ICMP packet to it. ICMP does not establish a connection, unlike TCP.

 

[explain-appendix-length]

Cause ya know, ICMP is not a connection....right?
Since RMerlin is dev, then riddled me this, I disabled the "network monitoring" neither DNS or ping is checked.
Router is still trying to contact wordpress.com.

Colin, Thanks for the link and actually taking the time to provide usefull information.