Monitoring Surf Soho with web log of another router shows lots of incomprehensible activity

MichaelM · August 24, 2018, 10:38am

With the WAN port of the Surf Soho connected to a LAN port of a router that is connected to the internet, the web activity log of the latter shows a lot of Surf Soho activity related to names with the word invalid, those names being in the websites category of the web activity log. Here is a snippet.

Date Time IP Address Website
8/23/2018 10:35:54 AM 192.168.0.8 322854188.invalid
8/23/2018 10:35:54 AM 192.168.0.8 629350256.invalid
8/23/2018 10:35:49 AM 192.168.0.8 2048469942.invalid
8/23/2018 10:35:49 AM 192.168.0.8 666264133.invalid
8/23/2018 10:35:44 AM 192.168.0.8 1342872043.invalid
8/23/2018 10:35:43 AM 192.168.0.8 2112345503.invalid
8/23/2018 10:35:41 AM 192.168.0.8 0.pepwave.pool.ntp.org
8/23/2018 10:35:41 AM 192.168.0.8 0.pepwave.pool.ntp.org
8/23/2018 10:35:38 AM 192.168.0.8 1084633130.invalid
8/23/2018 10:35:38 AM 192.168.0.8 322217074.invalid
8/23/2018 10:35:33 AM 192.168.0.8 590729119.invalid
8/23/2018 10:35:33 AM 192.168.0.8 1970196260.invalid
8/23/2018 10:35:28 AM 192.168.0.8 1192230726.invalid
8/23/2018 10:35:28 AM 192.168.0.8 428423197.invalid
8/23/2018 10:35:23 AM 192.168.0.8 1830652844.invalid
8/23/2018 10:35:23 AM 192.168.0.8 322217074.invalid
8/23/2018 10:35:18 AM 192.168.0.8 232870725.invalid
8/23/2018 10:35:18 AM 192.168.0.8 1615480153.invalid
8/23/2018 10:35:13 AM 192.168.0.8 654320084.invalid
8/23/2018 10:35:13 AM 192.168.0.8 645902581.invalid
8/23/2018 10:35:08 AM 192.168.0.8 536499964.invalid
8/23/2018 10:35:08 AM 192.168.0.8 1912464825.invalid
8/23/2018 10:35:03 AM 192.168.0.8 203047243.invalid
8/23/2018 10:35:03 AM 192.168.0.8 1431308137.invalid
8/23/2018 10:34:58 AM 192.168.0.8 2002306086.invalid
8/23/2018 10:34:58 AM 192.168.0.8 1986095253.invalid
8/23/2018 10:34:53 AM 192.168.0.8 1598533350.invalid
8/23/2018 10:34:53 AM 192.168.0.8 1902029536.invalid

What is that Surf Soho doing?

sitloongs · August 26, 2018, 9:22pm

Base on the logs above, seem like WAN health check DNS traffics send by SOHO device. Can you please confirm SOHO WAN enabled with DNS health check ? If yes, then it should not be a concern here.

MichaelM · August 27, 2018, 11:10am

Yes, the Surf SOHO WAN Health Check is enabled, and it is set to DNS Lookup.

soylentgreen · August 27, 2018, 3:53pm

the dot-invalid “.invalid” TLD is a special one that is guaranteed to never exist. See .invalid - Wikipedia

So probably the SOHO is making DNS requests, intentionally, for nonexistent lookups.