Strange behavior in 192.168.1.1 DNS requests / AC86U

[John Henry]

I have an 86U running Merlin, Diversion, Stubby, and Skynet plus two 68Us on AIMesh. In my Diversion reports, I've noticed that 192.168.1.1 calls Trendmicro, firmware updates, etc as expected, but it also calls several known spam sites - and always at 7:26AM. I've done hard resets on the 86 and the two 68s and I'm still getting the hits.

I'm not expert enough in networking to know if there could be other hardware in the network that would somehow be sending these requests through the 192.168.1.1 address instead of its own. Otherwise, is it possible there's a hack inside the router that's not cleared by a factory reset? Any other suggestions?

Sorry for what's probably an amateur and/or poorly phrased question - I'm picking all this up as I go.

DNSMasq log example:
May 27 07:26:59 dnsmasq[30986]: query[A] f.catalyst-resources.com from 192.168.1.1
May 27 07:26:59 dnsmasq[30986]: forwarded f.catalyst-resources.com to 127.0.0.1
May 27 07:26:59 dnsmasq[30986]: query[AAAA] f.catalyst-resources.com from 192.168.1.1
May 27 07:26:59 dnsmasq[30986]: forwarded f.catalyst-resources.com to 127.0.0.1
May 27 07:26:59 dnsmasq[30986]: query[A] stats.zdb2bmail.com from 192.168.1.1
May 27 07:26:59 dnsmasq[30986]: forwarded stats.zdb2bmail.com to 127.0.0.1
May 27 07:26:59 dnsmasq[30986]: query[AAAA] stats.zdb2bmail.com from 192.168.1.1
May 27 07:26:59 dnsmasq[30986]: forwarded stats.zdb2bmail.com to 127.0.0.1
May 27 07:26:59 dnsmasq[30986]: query[A] udmserve.net from 192.168.1.1

Diversion report:

192.168.1.1, Name-N/A:
--------------------------------------------------------
1712 rgom10-en.url.trendmicro.com
376 ipapi.co
28 ipinfo.io
14 google.com
12 raw.githubusercontent.com
10 fwupdate.asuswrt-merlin.net
10 RT-AC86U-3970
8 ntd-asus-2014b-en-cfg.fbs20.trendmicro.com
8 iplists.firehol.org
4 www.cloudflare.com
4 v.vfgtb.com blacklisted
4 us.pool.ntp.org
4 udmserve.net blocked
4 time.nist.gov

 

[ColinTaylor]

What makes you think these requests are originating from the router and not a device on your LAN?

 

[John Henry]

What makes you think these requests are originating from the router and not a device on your LAN?

That was really my question - could it be somewhere else on the LAN and just showing as originating on 192.168.1.1. I assume it's from the router since the logs list these sites as originating address from 192.168.1.1 and all other traffic is attributed to the various devices' assigned IP. The only traffic coming from 192.168.1.1 in the logs are the expected Trendmicro, Diversion, Skynet, and FW update requests plus these weird spam site requests.

 

[dave14305]

What is your WAN DNS setup? If using Stubby the forwarding would be to 127.0.1.1. Have you set Tools / Other Settings page “Wan: Use local caching DNS server as system resolver (default: No)” to Yes?

 

[John Henry]

It's set to no. Assume you're suggesting changing it to yes?

 

[dave14305]

It's set to no. Assume you're suggesting changing it to yes?

No, it’s better to leave it as No. But it doesn’t explain why queries are coming from 192.168.1.1. What is in the WAN DNS server 1 and 2 fields? I hope you don’t put 192.168.1.1 in there.

 

[John Henry]

No, it’s better to leave it as No. But it doesn’t explain why queries are coming from 192.168.1.1. What is in the WAN DNS server 1 and 2 fields? I hope you don’t put 192.168.1.1 in there.

Connect to DNS server automatically is set to No and the server fields 1 and 2 are blank

 

[dave14305]

Connect to DNS server automatically is set to No and the server fields 1 and 2 are blank

That's would explain a lot of unexpected problems since that isn't a valid configuration. Either set it back to Yes to use ISP's DNS or put a reliable public DNS service in there. Then let's see where we're at.

 

[John Henry]

That's would explain a lot of unexpected problems since that isn't a valid configuration. Either set it back to Yes to use ISP's DNS or put a reliable public DNS service in there. Then let's see where we're at.

Unfortunately the behavior continued this morning after making this changes... all spam site requests still originating from 192.168.1.1. Any other thoughts? Is there a sense of whether these are originating from the router or a device on the system?

 

[john9527]

What time are diversion/skynet updating their blocklists?

 

[dave14305]

John is likely right. Skynet will update its list at 25 past the hour at a randomly assigned hour when you install. Run cru l to list the cron jobs (that's an ell not a one).

I'd also like to see the output of these commands to better understand your DNS setup. I'm bothered that queries appear to come from 192.168.1.1 and it's forwarding to 127.0.0.1. Are you running the built-in Stubby or the old Stubby-Installer script?

cat /etc/resolv.conf
cat /tmp/resolv.dnsmasq
cat /tmp/resolv.conf
grep "^server" /etc/dnsmasq.conf

 

[John Henry]

John is likely right. Skynet will update its list at 25 past the hour at a randomly assigned hour when you install. Run cru l to list the cron jobs (that's an ell not a one).

I'd also like to see the output of these commands to better understand your DNS setup. I'm bothered that queries appear to come from 192.168.1.1 and it's forwarding to 127.0.0.1. Are you running the built-in Stubby or the old Stubby-Installer script?

cat /etc/resolv.conf
cat /tmp/resolv.dnsmasq
cat /tmp/resolv.conf
grep "^server" /etc/dnsmasq.conf

There doesn't seem to be a correlation to when Skynet/Diversion update and the hits. I installed Stubby through the amtm Entware installer - which I assume is the built in installer?


XX@RT-AC86U-3970:/tmp/home/root# cat /etc/resolv.conf
nameserver 192.168.1.1
XX@RT-AC86U-3970:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=192.168.1.1
XX@RT-AC86U-3970:/tmp/home/root# cat /tmp/resolv.conf
nameserver 192.168.1.1
XX@RT-AC86U-3970:/tmp/home/root# grep "^server" /etc/dnsmasq.conf
servers-file=/tmp/resolv.dnsmasq
server=127.0.0.1#5453
server=0::1#5453
server=/pool.ntp.org/1.1.1.1
XX@RT-AC86U-3970:/tmp/home/root#

 

[dave14305]

There doesn't seem to be a correlation to when Skynet/Diversion update and the hits. I installed Stubby through the amtm Entware installer - which I assume is the built in installer?


XX@RT-AC86U-3970:/tmp/home/root# cat /etc/resolv.conf
nameserver 192.168.1.1
XX@RT-AC86U-3970:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=192.168.1.1
XX@RT-AC86U-3970:/tmp/home/root# cat /tmp/resolv.conf
nameserver 192.168.1.1
XX@RT-AC86U-3970:/tmp/home/root# grep "^server" /etc/dnsmasq.conf
servers-file=/tmp/resolv.dnsmasq
server=127.0.0.1#5453
server=0::1#5453
server=/pool.ntp.org/1.1.1.1
XX@RT-AC86U-3970:/tmp/home/root#

Ok, making more sense now. The old Stubby Installer is obsolete now that Stubby is built in the firmware as DNS Privacy on the WAN page. So you really should uninstall it via the script and enable DNS Privacy in the GUI. The hacks required for the old script are no longer necessary. The queries are coming from the router for now. Once you fix the Stubby “concern” you won’t see them in dnsmasq.log anymore (but they’ll still be occurring directly to the WAN DNS servers which I believe the Stubby script sets to Cloudflare on uninstall).