Two oddities monitoring router activity with no clients

Product Discussion
1

Many routers report LAN activity to the manufacturer and the fact that Peplink does not (outside of InControl2) is a great thing. To verify this, I recently audited outbound connections made by a 2nd generation Surf SOHO running firmware 8.0.2 build 3612 while no clients were connected to the router. The audit turned up two things I can not explain.

  1. Why did the router contact IP address 104.25.204.4?

It is not for the time of day. It is not for WAN Quality monitoring. It is not a Health check. InControl2 is disabled. I did not hit the Check for Firmware button (System → Firmware). Here is the log entry:

Mar 22 03:10:02 Allowed MAC=00:1a:dd… SRC=192.168.x.x DST=104.25.204.4
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=12571 DF PROTO=TCP SPT=49005 DPT=443
WINDOW=5600 RES=0x00 SYN URGP=0 MARK=0x2

The IP address belongs to Cloudflare. According to Shodan

it seems to be a Peplink server, but the Content Security Policy mentions Facebook and Google Analytics and port 8443 seems to belong to Oil & Gas Information Systems (ogpro.com).

Why is the router making contact with this server?

  1. The second issue is what the router is NOT doing: I see no DNS Health Check requests.
    peplink.fw.802.wan.health.check
    peplink.fw.802.wan.health.check805Ă—335 59.5 KB

Health checking is configured to do DNS lookups to 1.1.1.1 and 1.0.0.1 (Cloudflare) every 30 minutes. The audit ran for many hours and I did not see any outbound requests to either of these IP addresses. The firewall rule used for auditing logged any protocol, to any destination from a single IP address.

Backing up, the router being audited (inner router) has its WAN port connected to a LAN port of another Surf SOHO (outer router). The audit was run on the outer router. Could it be that the outer router satisfied the DNS Health Check requests on its own and thus did not log the DNS request from the inner router?

Changed from DNS to Ping for health check and everything works as expected.

I switched the audited router back to using DNS for Health Checking to 1.1.1.1 and 1.0.0.1. And, I added an outbound firewall rule on the audited router that logs anything going out to 1.1.1.1. Nothing appeared in the Event Log of the audited router.

Perhaps DNS requests from the Health Check function are not logged? Still, that would not explain why the other router (outer one) never saw them.

Next, I changed Health Checking to include public DNS servers and I added a log of all outbound UDP requests to port 53. Still, nothing was being logged on the audited/inner router.

The Event Log itself is not the problem, I do see the “changes applied” entries

With the DNS lookup scheduled for every 5 seconds, I used the support.cgi page on the inner/audited router to do a pcap trace of all the bits for about 30 seconds. As these screen shots show, queries are being made to one.one.one.one and responses are being received.

Is this working as it should?

QUERIES TO 1.1.1.1

dns.queries.to.1111

RESPONSES FROM 1.1.1.1

dns.responses.from.1111
dns.responses.from.11111004Ă—314 156 KB

2 Likes
3

It is an IP from download.peplink.com. It used for updating various database:

  1. CA certificates (for making verified secured TLS connection)
  2. Geo and SaaS firewall rules
  3. Content Blocking categories update

I believe DNS Proxy is enabled in your outer SOHO router. If so, this is expected. Outer router responded the DNS lookup from the inner router. So, it is not logged in the outer router’s firewall event log.

Firewall event log is logging for the traffic from LAN to LAN, LAN to WAN, WAN to LAN, or WAN to device (Peplink/Pepware). It will not log for the traffic from device to WAN.

This shows that the DNS lookup sent out from the inner router and got response from the outer router like what I explained above.

Hope this helps.

2 Likes
4

I let the inner/monitored router sit overnight, still with no connected devices. At 3:10 AM it again made an outgoing connection, this time to IP address 104.25.205.4 which seems much like the first IP address in that it belongs to Peplink.

Mar 23 03:10:02 Allowed CONN=lan MAC=00:1a:dd…
SRC=192.168.x.x DST=104.25.205.4 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=31629 DF
PROTO=TCP SPT=47967 DPT=443
WINDOW=5600 RES=0x00 SYN URGP=0 MARK=0x2

Is this phoning home scheduled for once a day in the middle of the night (as per the local time zone)?

When it comes to the DNS Health Checking, I am a bit over my head. Still [something].localhost does not look a normal DNS request. And DNS responses of 127.0.0.1 also look suspicious as do the “No such name” errors about a.root-servers.net. Is this normal?

Personally, I will opt for Health Checking via Ping from now on.

5

Yes. The device will update the databases daily.

*.localhost is a reserved domain. Any DNS server will reply with 127.0.0.1 if it received DNS lookup for *.localhost. We used this domain for WAN link health check when DNS Lookup was selected.

1 Like
6

Thank you, as always :smiley: