Two DNS requests to amazonaws every 30 seconds since installing AIMesh

[Qwinn]

Ok thanks. Don't bother yourself too much. The problem is ultimately easily avoidable. Just access GUI via the naked IP, or www.asusrouter.com.

 

[dave14305]

Does your router have a domain? Does bifrost.home.arpa (or whatever your domain is) work? Is the lack of dots a factor?

 

[Qwinn]

Does your router have a domain? Does bifrost.home.arpa (or whatever your domain is) work? Is the lack of dots a factor?

I had same thought you did after my last post. My local domain is indeed .home.arpa, and trying bifrost.home.arpa:8443 via browser doesn't connect at all.

 

[RMerlin]

Might not be a security issue after all. For some reason the router fails to properly parse it to extract the port when using that name versus when using the original router name:

Jul 16 17:03:46 debug: host_name: gtaxe16000:8443 - host_name_temp: gtaxe16000
Jul 16 17:04:09 debug: host_name: bifrost:8443 - host_name_temp: bifrost:8443

 

[RMerlin]

The router calls ParseIPv4OrIPv6() on your hostname, and it fails to detect "bifrost" as being a hostname and considers it to be an IP.

The simplest workaround on your end is within your local host file, add a FQDN for it. I.e.:

192.168.50.1 bifrost bifrost.mylonely.lan

Then if you use https://byfrost.mylonely.lan:8443 it will properly be detected as a hostname, and get correctly parsed.

I can probably protect ParseIPv4OrIPv6() by checking first if the string is devoid of any dot and bracket (an IPv6 would be enclosed in brackets), in which case I would process it as a hostname. That wouldn't be 100% fool proof, but a proper fix would probably require the lengthy ParseIPv4OrIPv6() function to be reworked - not something I'm really keen on attacking myself.

 

[dave14305]

and it fails to detect "bifrost" as being a hostname and considers it to be an IP.

Does it receive the :8443 and consider the colon to be part of an IPv6 address?

 

[Qwinn]

Yeah, I'd think "if no brackets, truncate at colon" should be pretty comprehensive.

 

[Qwinn]

The router calls ParseIPv4OrIPv6() on your hostname, and it fails to detect "bifrost" as being a hostname and considers it to be an IP.

The simplest workaround on your end is within your local host file, add a FQDN for it. I.e.:

192.168.50.1 bifrost bifrost.mylonely.lan

Then if you use https://byfrost.mylonely.lan:8443 it will properly be detected as a hostname, and get correctly parsed.

So I just tried that, and it fails certificate check and drops down to port 80. So, yeah, looks like I'll have to explicitly add bifrost.home.arpa to my certificate to make that work. And since I had to remake it recently and the process is fresh in my mind, and I'm quite curious if this'll actually *work* (meaning system status page doesn't break), let me go ahead and try that. For the science.

 

[RMerlin]

Does it receive the :8443 and consider the colon to be part of an IPv6 address?

No, because it deals fine with gtaxe16000:8443.

So I just tried that, and it fails certificate check and drops down to port 80.

That is a browser issue. With a regular browser (Chrome or Firefox), you can tell it to accept the certificate anyway, and it should not try to switch you to a different port.

 

[Qwinn]

No, because it deals fine with gtaxe16000:8443.

That is a browser issue. With a regular browser (Chrome or Firefox), you can tell it to accept the certificate anyway, and it should not try to switch you to a different port.

Sigh. Merlin, if you're taking requests... could you just make the router do a service restart_httpd after importing a new certificate? I mean, couldn't Asus just assume that would be obviously necessary part of the process? Either you have to ssh and run that manually or wait like half an hour for it to restart on its own, otherwise it keeps serving up the old cert. Took me like 20 minutes to figure out why it wasn't taking. The whole importing cert process is painful enough for most people without having that idiocy confusing the hell out of people. Bet it would reduce complaints/questions on that topic a lot.

Anyway. So, yes, if you have bifrost.home.arpa in the certificate AND you pull it up via bifrost.home.arpa:8443, it does parse correctly, and status page works. Still can't do bifrost:8443 tho.

 

[RMerlin]

could you just make the router do a service restart_httpd after importing a new certificate?

It does that, but only after you log out, to limit disruptions.

        else if (!strcmp(script, "prepare_cert")) {
                int r;

                r = prepare_cert_in_etc();
                if (r > 0) {
                        /* Load new certification after the current session logout. */
                        nvram_set("httpds_reload_cert", "2");
#if defined(RTCONFIG_IPV6)
                        if (ipv6_enabled() && nvram_match("misc_http_x", "1")) {
                                nvram_set("httpds6_reload_cert", "2");
                        }
#endif
                }
        }

It probably also does it this way so it can validate the certificate before reloading it.

 

[RMerlin]

This should take care of most cases of incorrectly detected IPs.

httpd: check that we have a potential IP before calling ParseIPv4OrIP… · RMerl/asuswrt-merlin.ng@79e7d0e

…v6() ParseIPv4OrIPv6() can sometimes incorrectly report a hostname as being an IP address (for instance it does that when asked to parse "bifrost:8443"). Ensure that we have at least s...

github.com

I had a look at potentially rewriting ParseIPv4OrIPv6(), but too many chances of something else breaking along the way.

 

[dave14305]

This should take care of most cases of incorrectly detected IPs.

httpd: check that we have a potential IP before calling ParseIPv4OrIP… · RMerl/asuswrt-merlin.ng@79e7d0e

…v6() ParseIPv4OrIPv6() can sometimes incorrectly report a hostname as being an IP address (for instance it does that when asked to parse "bifrost:8443"). Ensure that we have at least s...

github.com

I had a look at potentially rewriting ParseIPv4OrIPv6(), but too many chances of something else breaking along the way.

Did you figure out why gtaxe16000:8443 was OK but not bifrost:8443? Was it the digits before the colon?

 

[RMerlin]

Did you figure out why gtaxe16000:8443 was OK but not bifrost:8443? Was it the digits before the colon?

No idea. The ParseIPv4OrIPv6() is so long and complicated that I didn't bother trying to understand where it failed. I doubt that was it tho, because I use "stargate" on my primary router.

 

[Qwinn]

This should take care of most cases of incorrectly detected IPs.

httpd: check that we have a potential IP before calling ParseIPv4OrIP… · RMerl/asuswrt-merlin.ng@79e7d0e

…v6() ParseIPv4OrIPv6() can sometimes incorrectly report a hostname as being an IP address (for instance it does that when asked to parse "bifrost:8443"). Ensure that we have at least s...

github.com

I had a look at potentially rewriting ParseIPv4OrIPv6(), but too many chances of something else breaking along the way.

Good to know about logging out triggering httpd restart. I was shutting down all tabs browsing to my router, but didn't think to explicitly log out. And thanks for taking care of this weird bifrost parsing issue.

Now to return to the OP topic - do you have any insight on what awsiot actually does? Like what features it enables/is used for? It seems like it was engaged in a whole lot of communication for a feature that I wasn't even using, or at least whose absence I am not missing. I was able to resolve it by declining Asus privacy permissions because I'm not using any of the features that enables, but seems to me other users who do want those features won't have that option, and there could be at least some efficiency gains (not to mention privacy/security gains) in making the run of that service conditional on... well, whatever it's actually needed for actually being used.

Given the aws link, I'm *guessing* it's just for Alexa controlling IoT devices. I'd think plenty of people who want *a* feature that requires Asus privacy permissions aren't necessarily running Alexa and all that awsiot traffic isn't necessary for them.

 

[RMerlin]

It's not just for Alexa. I know that it's related to the Tencent game accelerator feature among other things, but I don't know anything more - I've never looked into it. I think it's also tied to a future cloud-based router management plan that they seem to have.