Google DNS and firmware 8.2

Michael234 · March 18, 2022, 8:28pm

I recently read about malware that uses Google DNS, so I decided to block both 8.8.8.8 and 8.8.4.4 with a firewall rule on a B20x firmware 8.2.0. The router is using DoH with Cloudflare, not sure if that is relevant.

Despite the firewall rule, I see traffic out the WAN port that pings 8.8.8.8. I also see traffic out the WAN port to TCP port 443 at 8.8.8.8. This traffic is detected by another Peplink router to which the B20x is connected.

GUESSES

The traffic comes from a router client and the firewall rule is not working (its a Grouped network)
The traffic comes from the router itself. But, if so, should it not be using Cloudflare for DNS? Router is not doing Speed Fusion, if that matters.
The traffic comes from the router doing WAN quality monitoring. But, it is disabled.

mystery · March 18, 2022, 8:48pm

What Malware? Please provide a link.

Michael234 · March 19, 2022, 4:37pm

Cyclops Blink malware running on Asus Routers

but it could be any malware. I have also seen a Roku box use Google DNS 8.8.8.8 rather than the DNS servers from the router.

Rick-DC · March 19, 2022, 9:49pm

Well, I’ll add #4 to your list. We recently observed a behavior where more than 600 DNS inquiries per hour were being made to 8.8.8.8 and 8.8.4.4 from the LAN-side of a B380. We never, ever use Google DNS except for benign health checks (e.g., one of the ping targets for Peplink routers to check this.) Upon further inquiry we learned that Wyze cams (not all – just some – inexplicably) were generating this traffic. We submitted a ticket to Wyze and were told they do this to determine if the cam is on-line. We followed up with more questions including “why some cameras and not others?” Wyze has not responded except to say “watch for a firmware update.” (We’re still watching …)

mystery · March 20, 2022, 1:29am

Are Wyze cams storing video locally or in the cloud? If local, I’d deny all internet access to and from.

Michael234 · March 20, 2022, 3:23pm

Even if the video is stored locally, it might be that the control of the cameras requires the Internet. Still, I agree completely with your idea of blocking anything we can block especially with IoT devices.

Rick-DC · March 20, 2022, 8:55pm

Denying them access to the internet would be a very valuable strategy – if the owner did not want to them to work (at all.)