How do I find the domains this TV App is Using ?

[ComputerSteve]

So I am trying to use X3MRouting to route just Optimum (Altice's) through my wan and right now I have gotten far as using this command
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ALTICE autoscan=optimum,altice,cablevision
This adds 12 domains to the IPSET but these domains still do not allow the Altice One App to bypass the VPN. I want to know how can I monitor a devices DNS queries while selecting the app to see what domains its trying to connect to? is there a way to do that?

 

[Martineau]

I want to know how can I monitor a devices DNS queries while selecting the app to see what domains its trying to connect to? is there a way to do that?

It's sometimes a black art identifying the IPs/Domain names, but @Xentrk included some auxiliary scripts to assist

GitHub - Xentrk/x3mRouting: Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware

Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware - Xentrk/x3mRouting

github.com

e.g.

and also suggested additional investigative methods

GitHub - Xentrk/x3mRouting: Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware

Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware - Xentrk/x3mRouting

github.com

 

[ComputerSteve]

Thanks =) will try to do it this way. Is it possible that only AS Numbers work and an app isn't using domains ? meaning I can get this to bypass if I use asnum=AS6128. I can't however figure out how to get it to bypass using autoscan=akamai,altice,optimum,edgekey,optonline ... These are all noted in the DNSMasq log while I am opening and using the app but they don't work with allowing it to bypass the vpn.

 

[Tech Junky]

While this may work.... I wouldn't do it this way as you'll pick up all the other junk passing through the detection script from other devices on the network. Using something a bit more specific like Pihole which logs the DNS queries per IP would narrow things down considerably. Usually there's isolated traffic from a streaming device / service that's truly needed. The perks of this method would be keeping out the ads servers and telemetry to collect data on your use of the services. Also, you can typically find DNS lists by searching for them.

If you don't want to do it that way and the app is installable on a PC you can run some netstat commands to pick up the traffic.

C:\Windows\system32>netstat -tnlp

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-i] [-n] [-o] [-p proto] [-r] [-s] [-t] [-x] [-y] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -f            Displays Fully Qualified Domain Names (FQDN) for foreign
                addresses.
  -i            Displays the time spent by a TCP connection in its current state.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -q            Displays all connections, listening ports, and bound
                nonlistening TCP ports. Bound nonlistening ports may or may not
                be associated with an active connection.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -t            Displays the current connection offload state.
  -x            Displays NetworkDirect connections, listeners, and shared
                endpoints.
  -y            Displays the TCP connection template for all connections.
                Cannot be combined with the other options.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

C:\Windows\system32>netstat -tbf

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    192.168.0.170:54023    a23-47-50-244.deploy.static.akamaitechnologies.com:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.0.170:54500    a23-47-50-244.deploy.static.akamaitechnologies.com:https  TIME_WAIT
  TCP    192.168.0.170:54559    edge-msgr-latest-shv-02-dfw5.facebook.com:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.0.170:54597    pi.hole:http           ESTABLISHED
 [chrome.exe]
  TCP    192.168.0.170:54614    a23-47-50-244.deploy.static.akamaitechnologies.com:https  ESTABLISHED
 [chrome.exe]
  TCP    192.168.0.170:54615    rr-in-f188.1e100.net:5228  ESTABLISHED

So, with the -tbf you get the program using the connection and the domain destination.

I'm not sure how the script mentioned above is adding the domains but, you can do a wildcard entry with regex or if you cat the entries on the router you should be able to figure out how to add domains specific to the app rather than using a shotgun approach allowing domains to bypass the VPN that may leak other info not related to the app.

Sometimes switching VPN servers makes a difference as well. Sometimes sites block traffic from specific IP's due to someone using it to attack the site or they use a blocklist that collects VPN IP's to force a bypass to get access to content. I have a couple of banks that do this and I just make a spreadsheet to know which server to connect to to access that particular bank when needed. Every once in awhile I'll find a server that's permitted by both banks that use a blocklist but, usually one VPN server allows access to one or the other.

 

[ComputerSteve]

Ok this looks intense lol also can I do this on a Mac ?

 

[Tech Junky]

Commands work on a Mac.

 

[chongnt]

I always use dnsmasq method and it works fine. If you have dnsmasq logging, you can probably ssh into your router and run tail -f /opt/var/log/dnsmasq.log | grep <host_ip>. Replace <host_ip> with your TV apps device host IP then run your TV apps to see what domains are used.

GitHub - Xentrk/x3mRouting: Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware

Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware - Xentrk/x3mRouting

github.com

 

[Tech Junky]

Tail -f is another option if you want to monitor it from the router. I think it's probably easier from the PC / MAC itself though to find the domains.

It would be easier to just exempt by IP of the device though to permit the TV programming to pass through. Since you're using the app on different devices I can see the domain option being preferred. Most of the traffic though should be coming from one TLD like optimum.com or whatever they're using and regex permitting that should cover everything thing.

 

[ComputerSteve]

Tail -f is another option if you want to monitor it from the router. I think it's probably easier from the PC / MAC itself though to find the domains.

It would be easier to just exempt by IP of the device though to permit the TV programming to pass through. Since you're using the app on different devices I can see the domain option being preferred. Most of the traffic though should be coming from one TLD like optimum.com or whatever they're using and regex permitting that should cover everything thing.

Yeah I tried I'm doing an auto scan sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ALTICE autoscan=akamai,altice,alticeusa,optimum,edgekey,optonline,apple-dns,omtrdc,akamaiedge .. It doesn't work lol meaning only if I use the asnum=AS6128 does it work. I see the domains coming up in the TAIL -f

these come up with the app --
y 31 13:01:17 dnsmasq[6225]: query[A] seed-siri-apple-com.v.aaplimg.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] uts-api.itunes.apple.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[A] uts-api.itunes.apple.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] a1956.dscb.akamai.net from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] mdc.ott.alticeusa.net from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[A] mdc.ott.alticeusa.net from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] doh.dns.apple.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[A] doh.dns.apple.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] doh.dns.apple.com.v.aaplimg.com from 192.168.1.20
May 31 13:01:18 dnsmasq[6225]: query[type=65] live4.appletv.optimum.net from
May 31 13:01:26 dnsmasq[6225]: query[type=65] a1863.dscb.akamai.net from 192.168.1.20
May 31 13:02:23 dnsmasq[6225]: query[A] e17437.dsct.akamaiedge.net from 192.168.1.20

 

[Tech Junky]

Needed:
aaplimg.com
aaple.com
alticeusa.net
optimum.net

optional:
akamai.net - https://bgp.he.net/search?search[search]=a1956.dscb.akamai.net&commit=Search // https://www.abuseipdb.com/whois/23.200.0.36
/11 CIDR = 2,097,088 IP's
akamaiedge.net - https://bgp.he.net/search?search[search]=e17437.dsct.akamaiedge.net&commit=Search // https://www.abuseipdb.com/whois/23.199.200.51
/11 CIDR = 2,097,088 IP's

The problem with the AS adds is you're adding them by CIDR within the AS vs the DNS name. This opens the potential for leaks enormously. 2M IP's is a bit excessive to allow for bypass. This is why you want some option to restrict it to the DNS name and not the AS. There's a couple of subnet / CIDR blocks I would absolutely refuse to grant access to due to their leasing to people not looking to help you but siphon data from your devices.

I would look into putting the TV devices into the DMZ instead of using the "tool" to permit a big chunk of the internet to come through the router.

 

[chongnt]

Yeah I tried I'm doing an auto scan sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ALTICE autoscan=akamai,altice,alticeusa,optimum,edgekey,optonline,apple-dns,omtrdc,akamaiedge .. It doesn't work lol meaning only if I use the asnum=AS6128 does it work. I see the domains coming up in the TAIL -f

these come up with the app --
y 31 13:01:17 dnsmasq[6225]: query[A] seed-siri-apple-com.v.aaplimg.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] uts-api.itunes.apple.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[A] uts-api.itunes.apple.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] a1956.dscb.akamai.net from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] mdc.ott.alticeusa.net from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[A] mdc.ott.alticeusa.net from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] doh.dns.apple.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[A] doh.dns.apple.com from 192.168.1.20
May 31 13:01:17 dnsmasq[6225]: query[type=65] doh.dns.apple.com.v.aaplimg.com from 192.168.1.20
May 31 13:01:18 dnsmasq[6225]: query[type=65] live4.appletv.optimum.net from
May 31 13:01:26 dnsmasq[6225]: query[type=65] a1863.dscb.akamai.net from 192.168.1.20
May 31 13:02:23 dnsmasq[6225]: query[A] e17437.dsct.akamaiedge.net from 192.168.1.20

You have a lot in your autoscan list already. Maybe need to try a few more times and see if you missed anything. Once you get it working can try to work out which one is not necessary. Recently my tv apps routed to WAN failed to load, it takes me many times to go through the dns logs to finally have to whitelist imasdk.googleapis.com for it to work.

 

[ComputerSteve]

It doesn't work using DNSMasq or Autoscan --- Both those methods result in the app saying I'm not on my home network / If I use the asnum=AS6128 it works.. I guess this app requires that way to function.

 

[chongnt]

It doesn't work using DNSMasq or Autoscan --- Both those methods result in the app saying I'm not on my home network / If I use the asnum=AS6128 it works.. I guess this app requires that way to function.

AS number covers a lot, and apparently covers what your TV apps needed. By right dnsmasq or autoscan should work too. The tough part is to find out what are the missing domain in dnsmasq or autoscan list.

 

[ComputerSteve]

I get that the issue I'm having with the AS number is every time I reboot the router the IPSET list it creates is 0 and I have to manually re-run the command sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ALTICE asnum=AS6128 -- is there a way to fix that?

 

[chongnt]

I get that the issue I'm having with the AS number is every time I reboot the router the IPSET list it creates is 0 and I have to manually re-run the command sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ALTICE asnum=AS6128 -- is there a way to fix that?

I remember see this issue posted before. If I’m not mistaken it has something to do with the ASN lookup having limits. I could be wrong.

 

[Tech Junky]

Setup the command as a cron to run everyday.

 

[ComputerSteve]

Setup the command as a cron to run everyday.

How ?

 

[Tech Junky]

https://www.cyberciti.biz/faq/how-to-add-cron-job-on-asuswrt-merlin-wifi-router/

How to schedule cron jobs on an ASUS wireless router

ASUS does not include crontab in its wireless router distribution, but crond is still running and can be manipulated into loading your jobs.

www.securityforrealpeople.com

Set up cron job on ASUSWRT Merlin

I just flashed my ASUS RT-AC68U router with ASUSWRT Merlin firmware 378.55. I need to set up a particular cron job to go to a particular website every hour. The particular cron job (with DDWRT specifics) is as follows: 0 * * * * root wget http://unlo.it/Your_API_KEY_HERE Basically, I need to...

www.snbforums.com

 

[Tech Junky]

For instance on my server I do this:

# m h  dom mon dow   command
15 */6 * * *  root rsync -avxHAXW --delete-excluded / --exclude={"/backup/*","/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt/Storage/system

This runs the backup job to my Raid array every 6 hours starting at 15 minutes past the hour.

https://linuxize.com/post/scheduling-cron-jobs-with-crontab/

 

[ComputerSteve]

For instance on my server I do this:

# m h  dom mon dow   command
15 */6 * * *  root rsync -avxHAXW --delete-excluded / --exclude={"/backup/*","/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt/Storage/system

This runs the backup job to my Raid array every 6 hours starting at 15 minutes past the hour.

View attachment 41499

https://linuxize.com/post/scheduling-cron-jobs-with-crontab/

so for example cause I'm dumb with this lol if I wanted this to run this cron job everyday as you stated and I want it to run that command sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ALTICE asnum=AS6128 what do I do lol -- I'm sorry I'm just really learning all that and that looks really confusing.