Firmware 8.0.2 phones home to Google every 10 seconds. WTF?

Michael234 · March 19, 2020, 7:52pm

I ran an audit on a recently retired a first generation Surf SOHO. Its WAN port was plugged into the LAN port of an MK3 Surf SOHO which logged every outbound connection from the older router. Firmware on the old router is 8.0.2 with very few configuration changes. The old router phones home to Google at IP address 8.8.8.8 constantly. There are many strange things about this.

Nothing is using the router. There are no attached clients.
8.8.8.8 is the Google DNS IP address, but the outbound contact is not UDP on port 53, but TCP to port 443.
The source port is always 3111
The TTL is always 1 or 2

I can think of no reason for the router to contact Google.

The WAN DNS is hard coded for OpenDNS (208.67.222.222 and 220.220). The Health check is once a minute (not every 10 seconds)
The Health check is using DNS to Cloudflare (1.1.1.1 and 1.0.0.1) .

The outbound connections come in pairs, two seconds apart. The pairs are spaced out 10 seconds apart. The first one of the pair has a TTL of 1, the second one has a TTL of 2.

Here is a single pair of log events in full

Mar 19 23:34:18 Allowed CONN=lan MAC=00:1a:dd:00:28:00:00:1a:dd:f9:8a:a1:08:00 SRC=192.168.1.190 DST=8.8.8.8 LEN=44 TOS=0x00 PREC=0x00 TTL=2 ID=9479 PROTO=TCP SPT=3111 DPT=443 WINDOW=0 RES=0x00 SYN URGP=0 MARK=0x2

Mar 19 23:34:16 Allowed CONN=lan MAC=00:1a:dd:00:28:00:00:1a:dd:f9:8a:a1:08:00 SRC=192.168.1.190 DST=8.8.8.8 LEN=44 TOS=0x00 PREC=0x00 TTL=1 ID=50409 PROTO=TCP SPT=3111 DPT=443 WINDOW=0 RES=0x00 SYN URGP=0 MARK=0x2

Here is a brief audit of the timing along with the ID values from the Event Log. The ID is the only thing that varies.

Mar 19 23:34:05 ID=32467
Mar 19 23:34:03 ID=17779
Mar 19 23:33:55 ID=17517
Mar 19 23:33:53 ID=18869
Mar 19 23:33:43 ID=29126
Mar 19 23:33:41 ID=53812
Mar 19 23:33:30 ID=14165
Mar 19 23:33:28 ID=49417
Mar 19 23:33:20 ID=48734
Mar 19 23:33:18 ID=8141
Mar 19 23:33:08 ID=47422
Mar 19 23:33:06 ID=61094
Mar 19 23:32:55 ID=62556
Mar 19 23:32:53 ID=62876
Mar 19 23:32:43 ID=10324
Mar 19 23:32:41 ID=11690
Mar 19 23:32:31 ID=17948
Mar 19 23:32:29 ID=51223
Mar 19 23:32:20 ID=26179
Mar 19 23:32:18 ID=15262
Mar 19 23:32:10 ID=60414
Mar 19 23:32:08 ID=54843
Mar 19 23:31:58 ID=43684
Mar 19 23:31:56 ID=10044
Mar 19 23:31:47 ID=32068
Mar 19 23:31:45 ID=37523
Mar 19 23:31:37 ID=44475
Mar 19 23:31:35 ID=55878
Mar 19 23:31:25 ID=27042
Mar 19 23:31:23 ID=62921
Mar 19 23:31:13 ID=45239
Mar 19 23:31:11 ID=41725
Mar 19 23:31:00 ID=57899
Mar 19 23:30:58 ID=47116
Mar 19 23:30:48 ID=56758
Mar 19 23:30:46 ID=9117
Mar 19 23:30:38 ID=20177
Mar 19 23:30:36 ID=14072
Mar 19 23:30:27 ID=44333
Mar 19 23:30:25 ID=35933
Mar 19 23:30:17 ID=15442
Mar 19 23:30:15 ID=45761
Mar 19 23:30:07 ID=44234
Mar 19 23:30:05 ID=23395
Mar 19 23:29:54 ID=38116
Mar 19 23:29:52 ID=31681

Is this DoH or DoT? If so, why?

Kenny · March 19, 2020, 7:57pm

Hi,

Those packets are used to measure WAN’s latency:

Michael234 · March 19, 2020, 8:02pm

Thanks Kenny.
So this would be unnecessary on a Surf SOHO as it only handles one WAN connection at a time?
Is there anything we can change about this behavior?

Kenny · March 19, 2020, 8:22pm

At this moment, you can disable latency checking by:

In Outbound Policy, set “Deafult” rule to any algorithm other than “Lowest Latency” and “Auto” (Auto is Lowest Latency for Surf SOHO).
In WAN Setting page, do not select any WAN for “WAN Quality Monitoring”:

image704×231 11.5 KB

Michael234 · March 19, 2020, 8:24pm

Will do. Thanks.

Michael234 · March 20, 2020, 12:26pm

Where is the Outbound Policy? I could not find it. Is this not a thing on the Surf SOHO since it only handle one WAN connection at a time?

Disabling just the WAN Quality Monitoring has stopped these outbound requests. Thanks.

TK_Liew · March 22, 2020, 6:09pm

Yes, you are right.

Glad to hear that!