A solution: let the router in AP mode or AiMesh node receive commands from the main router

[Yota]

I ran into this question a few weeks ago while writing a script: How to make the main router and node execute some commands synchronously. At first I thought this was impossible, because for AP mode, the main router does not communicate with the AP, and for AiMesh because the code is closed source, it is impossible to pass custom commands to the node router. Actually I have been using a very insecure method before, keeping the ssh key in the main router and letting the main router control the AP/Node via ssh. But today I thought of a simple way to pass commands to AP/Node without logging into AP/Node.

The answer is simple: use DNS

We can specify an IPv6 address for a non-existing local hostname as the interface for passing commands. After the command is encrypted, we can translate it into a hexadecimal IPv6 address. If one address is not enough, multiple addresses can be used. Of course, multiple hostnames should be used at this time, and then specify the address in dnsmasq. The AP or node only needs to periodically try to resolve the hostname. If get the command and execute it. (Commands must be encrypted before they can be used as IPv6 addresses, otherwise there will be security risks)

The advantage of this is that because APs and nodes also run DNS servers, they do exactly the same thing, such as returning command results and logs to the main router in the form of IPv6 addresses.

There is no in-depth study on sending files, and it may be possible to temporarily mount a file using an existing http page and restore it after downloading. the two routers can communicate via IPv6 DNS results before sending the file.

Of course this requires some scripting, and constant polling, I'm just giving an idea, no examples here, however, with this idea, some custom script developers can achieve synchronization and communication between main router and aimesh node or ap.


If DNS is available, why not just send DNS with specific hostname request as command trigger?

Because this is not secure, anyone can send the same request on the LAN, even if the hostname used to pass the command is encrypted and the attacker cannot run the custom command, it is still possible for the attacker to capture the DNS request and send the same DNS request to the router multiple times, causing the router to continuously run the command and crash. also, this requires opening dnsmasq logs and monitoring the logs, whereas nslookup is much simpler and elegant.

 

[Yota]

A simple conceptual example, not an actual command:

The main router wants to send a reboot to the node:

reboot encrypted as: 6163504a4652 and translated to IPv6 address: ff01:6163:504a:4652::2
Then add this IPv6 address to a special local hostname in dnsmasq, for example: passcommand1

The node only needs to periodically query the resolution result of the passcommand1, and run the command according to the resolution result.

 

[Yota]

If script developers are interested in this feature, I'd be happy to write an API script, so script developers don't have to implement the feature themselves in each script.

Let me know if you are interested in this: leave a message

 

[dave14305]

Someone took you up on the offer already it seems.

New Linux botnet exploits Log4J, uses DNS tunneling for comms

A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies.

www.bleepingcomputer.com

 

[Yota]

Someone took you up on the offer already it seems.

New Linux botnet exploits Log4J, uses DNS tunneling for comms

A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies.

www.bleepingcomputer.com

The technology itself is not good or bad, it depends on who is using it and what they are doing with it.

 

[Yota]

For this to work, I need to have dnsmasq automatically reload the hosts file or the custom IPs and hostnames in dnsmasq.conf.

There are two ways, the first is to kill dnsmasq and start it again to load the hosts, or specify the hostsdir=/tmp/hostsfiles parameter to let dnsmasq automatically load the new hosts file in the directory.

But when I try to enable hostsdir I get the following error:

Mar 16 15:54:18 rc_service: service 888:notify_rc restart_dnsmasq
Mar 16 15:54:18 dnsmasq[23872]: exiting on receipt of SIGTERM
Mar 16 15:54:18 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Mar 16 15:54:18 dnsmasq[891]: dhcp-hostsdir, dhcp-optsdir and hostsdir are not supported on this platform
Mar 16 15:54:18 dnsmasq[891]: FAILED to start up
Mar 16 15:54:44 rc_service: watchdog 1694:notify_rc start_dnsmasq
Mar 16 15:54:44 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Mar 16 15:54:44 dnsmasq[945]: dhcp-hostsdir, dhcp-optsdir and hostsdir are not supported on this platform
Mar 16 15:54:44 dnsmasq[945]: FAILED to start up
Mar 16 15:55:14 rc_service: watchdog 1694:notify_rc start_dnsmasq
Mar 16 15:55:14 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Mar 16 15:55:14 dnsmasq[1006]: dhcp-hostsdir, dhcp-optsdir and hostsdir are not supported on this platform
Mar 16 15:55:14 dnsmasq[1006]: FAILED to start up
......

I think support for this feature was removed when this dnsmasq was compiled, right? Communication via DNS may be difficult without this feature, because when there is a lot of traffic, dnsmasq will restart after each communication, which will bring a bad experience to the user network.

Can you help fix this? @RMerlin

 

[RMerlin]

If you need to execute remote operations then use SSH. Far less hackish, and will work fine with AP or AiMesh nodes.

 

[RMerlin]

Example here (you can use key authentication to avoid login prompts):

merlin@ubuntu-dev:~$ ssh admin@rtac66b1 "df -h \/tmp"
admin@rtac66b1's password: 
Filesystem                Size      Used Available Use% Mounted on
tmpfs                   124.9M      2.3M    122.6M   2% /tmp
merlin@ubuntu-dev:~$

 

[Yota]

Example here (you can use key authentication to avoid login prompts):

merlin@ubuntu-dev:~$ ssh admin@rtac66b1 "df -h \/tmp"
admin@rtac66b1's password:
Filesystem                Size      Used Available Use% Mounted on
tmpfs                   124.9M      2.3M    122.6M   2% /tmp
merlin@ubuntu-dev:~$

Thanks, I'm doing this, but I don't want to keep the key on the main router because if the main router gets hacked, the attacker will be able to find the key and attack the node router. I think this is a security risk. So DNS-based communication allows me to not provide the key with any router, and because the admin password is encrypted, I can use it with confidence, even if the router is hacked, the loss is limited.

 

[Tech9]

I think this is a security risk.

AiMesh node is an access point or a wireless repeater. What is there to hack so much?

 

[RMerlin]

These parameters require inotify support. I don't see no valid reason to enable inotify support in dnsmasq beside this very esoteric niche case, sorry.

 

[RMerlin]

AiMesh node is an access point or a wireless repeater. What is there to hack so much?

Plus if the main router is compromised, then one should consider their WHOLE network compromised. The nodes are the least of your worries if that happens.

 

[Yota]

These parameters require inotify support. I don't see no valid reason to enable inotify support in dnsmasq beside this very esoteric niche case, sorry.

I understand, I will try other ideas.

Plus if the main router is compromised, then one should consider their WHOLE network compromised. The nodes are the least of your worries if that happens.

You're right

 

[Yota]

AiMesh node is an access point or a wireless repeater. What is there to hack so much?

It is also a 24/7 networked computer, which means it can be turned into an infected device for mining