DoT setup but still seeing traffic on port #53

[s_Fanous]

Hi

I'm running 384.17 on an RT-AC68U

I used the wiki to setup DNS privacy and it works for the most part. The reason I say for the most part is that some DNS traffic is still using port #53.

I use tcpdump against interface ppp0. Here's a short sample of what I see

14:41:57.223430 IP <WAN_IP>.63355 > 8.8.8.8.53: 56118+ A? instagram.com. (31)
14:41:57.223549 IP <WAN_IP>.63355 > 8.8.4.4.53: 56118+ A? instagram.com. (31)
14:41:57.224175 IP <WAN_IP>.49634 > 1.0.0.1.853: Flags [S], seq 1549597567, win 5808, options [mss 1452,sackOK,TS val 30026110 ecr 0,nop,wscale 4], length 0
14:41:57.224701 IP <WAN_IP>.44114 > 1.1.1.1.853: Flags [S], seq 1551394692, win 5808, options [mss 1452,sackOK,TS val 30026110 ecr 0,nop,wscale 4], length 0
00:00:00.953375 IP 8.8.4.4.53 > <WAN_IP>.63355: 56118 8/0/0 A 52.1.109.13, A 34.238.173.81, A 34.196.229.158, A 34.237.200.213, A 34.238.65.211, A 35.173.167.253, A 3.214.16.192, A 52.2.14.71 (159)
00:00:00.953135 IP 8.8.8.8.53 > <WAN_IP>.63355: 56118 8/0/0 A 3.211.39.152, A 52.201.90.120, A 34.227.122.11, A 3.214.32.78, A 34.239.39.134, A 3.218.3.143, A 3.224.3.80, A 3.214.138.217 (159)
00:00:00.953642 IP 1.1.1.1.853 > <WAN_IP>.44114: Flags [S.], seq 3086137722, ack 1551394693, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
14:41:57.240559 IP <WAN_IP>.44114 > 1.1.1.1.853: Flags [.], ack 1, win 363, length 0
00:00:00.946134 IP 1.0.0.1.853 > <WAN_IP>.49634: Flags [S.], seq 3742561590, ack 1549597568, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
14:41:57.241973 IP <WAN_IP>.49634 > 1.0.0.1.853: Flags [.], ack 1, win 363, length 0
14:41:57.243403 IP <WAN_IP>.44114 > 1.1.1.1.853: Flags [P.], seq 1:275, ack 1, win 363, length 274
14:41:57.246158 IP <WAN_IP>.49634 > 1.0.0.1.853: Flags [P.], seq 1:275, ack 1, win 363, length 274
00:00:00.954435 IP 1.1.1.1.853 > <WAN_IP>.44114: Flags [.], ack 275, win 66, length 0
00:00:00.956133 IP 1.1.1.1.853 > <WAN_IP>.44114: Flags [.], seq 1:1453, ack 275, win 66, length 1452
14:41:57.260671 IP <WAN_IP>.44114 > 1.1.1.1.853: Flags [.], ack 1453, win 545, length 0
00:00:00.955880 IP 1.1.1.1.853 > <WAN_IP>.44114: Flags [P.], seq 1453:2725, ack 275, win 66, length 1272
14:41:57.260845 IP <WAN_IP>.44114 > 1.1.1.1.853: Flags [.], ack 2725, win 726, length 0
00:00:00.954414 IP 1.0.0.1.853 > <WAN_IP>.49634: Flags [.], ack 275, win 66, length 0
00:00:00.934135 IP 1.0.0.1.853 > <WAN_IP>.49634: Flags [.], seq 1:1453, ack 275, win 66, length 1452
00:00:00.966892 IP 8.8.4.4.53 > <WAN_IP>.36913: 33327 2/0/0 CNAME z-p42-instagram.c10r.facebook.com., A 157.240.18.174 (95)
14:41:58.257591 IP <WAN_IP>.36691 > 8.8.4.4.53: 19483+ A? star.c10r.facebook.com. (40)
00:00:00.039164 IP 8.8.4.4.53 > <WAN_IP>.36691: 19483 1/0/0 A 157.240.18.15 (56)
14:41:58.490240 IP <WAN_IP>.36722 > 8.8.4.4.53: 14085+ A? scontent.xx.fbcdn.net. (39)
00:00:00.055493 IP 8.8.4.4.53 > <WAN_IP>.36722: 14085 1/0/0 A 157.240.18.19 (55)
14:41:58.584864 IP <WAN_IP>.13420 > 8.8.4.4.53: 46230+ A? instagram.fybz2-2.fna.fbcdn.net. (49)
00:00:00.187482 IP 8.8.4.4.53 > <WAN_IP>.13420: 46230 1/0/0 A 184.150.164.224 (65)
14:41:59.018916 IP <WAN_IP>.28870 > 8.8.4.4.53: 11005+ A? instagram.fybz2-1.fna.fbcdn.net. (49)
00:00:00.560972 IP 8.8.4.4.53 > <WAN_IP>.28870: 11005 1/0/0 A 184.150.164.160 (65)
14:42:00.033067 IP <WAN_IP>.56472 > 8.8.4.4.53: 59593+ A? instagram.c10r.facebook.com. (45)
00:00:00.786711 IP 8.8.4.4.53 > <WAN_IP>.56472: 59593 1/0/0 A 157.240.18.63 (61)

LAN -> DHCP Server configuration

WAN configuration

The only observation I've made is that the unencrypted DNS traffic always flows through whatever values are configured for DNS Server1 and DNS Server2 in the WAN page (i.e. If I put 1.1.1.1 and 1.0.0.1 then tcpdump will show some traffic flowing to these DNS servers over port #53 and lots of traffic flowing over port #853, however if I put 8.8.8.8 and 8.8.4.4 then tcpdump will only show traffic flowing to these DNS servers over port #53 and all traffic flowing to CF servers will be over port #853). I'm unable to clear out

I tried removing the values in DNS Server1 and Server2 but get the following error message when I try to Apply the settings
"Please setup the DNS server on the client device."

I'm not using DNSFilter (Disabled)

Looking for some help to figure out why some traffic is still using port #53.

Thanks

 

[ColinTaylor]

I'm not using DNSFilter (Disabled)

The message in orange in your screenshot says you do have DNSFilter enabled.

 

[s_Fanous]

The message in orange in your screenshot says you do have DNSFilter enabled.

Apologies, I wasn't clear. It is enabled and "Global Filter Mode" is set to Router but I don't have any clients configured. So it is effectively not enabled on any client.

FTR, I have also tried with it disabled and I observe the same behavior.

 

[dave14305]

If it's coming from a client, try running tcpdump against br0:

tcpdump -i br0 dst port 53 and ! dst 192.168.1.1

Otherwise, it's the router generating its own DNS queries locally.

 

[ColinTaylor]

Apologies, I wasn't clear. It is enabled and "Global Filter Mode" is set to Router but I don't have any clients configured. So it is effectively not enabled on any client.

No, that should mean that it is enabled for all clients.

Are the devices using port 53 mobile devices?

 

[s_Fanous]

If it's coming from a client, try running tcpdump against br0:

tcpdump -i br0 dst port 53 and ! dst 192.168.1.1

Otherwise, it's the router generating its own DNS queries locally.

Ran the command and not a single packet captured in 2 minutes

 

[dave14305]

Ran the command and not a single packet captured in 2 minutes

So the router is querying names itself. Even a tcpdump run on the router without using the -n flag can cause the router to issue dns requests to resolve the IPs in the src/dst fields.

You can experiment on the Tools / Other Settings page by setting "Wan: Use local caching DNS server as system resolver" to Yes and see if the 53/udp traffic stops.

 

[ColinTaylor]

So the router is querying names itself. Even a tcpdump run on the router without using the -n flag can cause the router to issue dns requests to resolve the IPs in the src/dst fields.

I don't think it is the router itself. In post #1 it's not converting IP addresses and he said he used the wiki where the example tcpdump command uses -n.

The log fragment shows queries to Google's DNS for Facebook and Instagram. This makes me think it's an Android device using hard coded DNS addresses. But enabling the DNSFilter should have fixed that.

@s_Fanous Are you still seeing the port 53 traffic on the WAN interface? Have you re-enabled the DNSFilter?

 

[heysoundude]

It's been a while since I did it, but my recollection indicates the DNS boxes that have the google stuff in them on the WAN DNS window should be empty with DoT selected. amirite?

 

[ColinTaylor]

It's been a while since I did it, but my recollection indicates the DNS boxes that have the google stuff in them on the WAN DNS window should be empty with DoT selected. amirite?

No. You always have to have WAN DNS servers. If you don't have them set automatically you must enter them manually.

 

[dave14305]

I don't think it is the router itself. In post #1 it's not converting IP addresses and he said he used the wiki where the example tcpdump command uses -n.

The log fragment shows queries to Google's DNS for Facebook and Instagram. This makes me think it's an Android device using hard coded DNS addresses. But enabling the DNSFilter should have fixed that.

@s_Fanous Are you still seeing the port 53 traffic on the WAN interface? Have you re-enabled the DNSFilter?

Since he didn't see any incoming traffic on br0 heading to port 53, I assume DNS Filter is doing it's job. So in my mind that leaves the router as the source. Not sure how or why the router would be looking up instagram or facebook, so it seems unusual, which means there's a piece of the puzzle missing.

 

[weslsew]

No. You always have to have WAN DNS servers. If you don't have them set automatically you must enter them manually.

those are empty on mine and I have connect to DNS Server automatically turned off

 

[ColinTaylor]

those are empty on mine and I have connect to DNS Server automatically turned off

Are you talking about the DNS server fields on the WAN page or the LAN page?

 

[weslsew]

Are you talking about the DNS server fields on the WAN page or the LAN page?

both

 

[ColinTaylor]

both

Having empty fields on the LAN page is normal and is the default. But maybe on the WAN page this is something new that was brought in with the DNS Privacy settings. I can't see any reference to that in the wiki.

 

[s_Fanous]

I don't think it is the router itself. In post #1 it's not converting IP addresses and he said he used the wiki where the example tcpdump command uses -n.

The log fragment shows queries to Google's DNS for Facebook and Instagram. This makes me think it's an Android device using hard coded DNS addresses. But enabling the DNSFilter should have fixed that.

@s_Fanous Are you still seeing the port 53 traffic on the WAN interface? Have you re-enabled the DNSFilter?

Yes, still seeing it. Tested with both DNSFilter Disabled and Enabled. Same results. Also tested @dave14305 suggestion but no change in output.

Just out of curiosity I wanted to see what was listening on port #53 on my router. Here's the output

netstat -anp | grep LISTEN | grep ":53"
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      9531/stubby
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      9138/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      9138/dnsmasq
tcp        0      0 10.8.0.1:53             0.0.0.0:*               LISTEN      9138/dnsmasq

I also ran 2 tcpdump in parallel. First capturing ppp0 ports 53 & 853 and the second capturing br0 ports 53 to try to see if the outgoing port 53 traffic was originating from 1 specific LAN IP but I wasn't able to make a case here. I could see requests from my laptop, desktop, and amazon devices resulting in outgoing requests on port #53. All 3 devices are setup using DHCP and so only see the IP Address of the router (192.168.1.1) as the DNS Server.

Not sure where to go from here.

 

[s_Fanous]

Ok, I think I'm getting somewhere now

I checked my /jffs/config/dnsmasq.conf and found the following config line

resolv-file=/tmp/resolv.conf

more /tmp/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 127.0.1.1

So out of curiosity, I commented out the first 2 entries in that file and restarted dnsmasq.conf and I'm no longer seeing any traffic on port #53.

I've also determined that the first 2 entries in the file map to the values of DNS Server1 and Server2 in the WAN page since as soon as I made a change there and applied the changes /tmp/resolv.conf reflected the exact same changes.

So, the question is, should my /tmp/resolv.conf look like this or just have the stubby entry?

 

[dave14305]

Ok, I think I'm getting somewhere now

I checked my /jffs/config/dnsmasq.conf and found the following config line

resolv-file=/tmp/resolv.conf

more /tmp/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 127.0.1.1

So out of curiosity, I commented out the first 2 entries in that file and restarted dnsmasq.conf and I'm no longer seeing any traffic on port #53.

I've also determined that the first 2 entries in the file map to the values of DNS Server1 and Server2 in the WAN page since as soon as I made a change there and applied the changes /tmp/resolv.conf reflected the exact same changes.

So, the question is, should my /tmp/resolv.conf look like this or just have the stubby entry?

Why do you have /jffs/configs/dnsmasq.conf? This overrides the firmware-generated /etc/dnsmasq.conf.

 

[ColinTaylor]

I checked my /jffs/config/dnsmasq.conf and found the following config line

Are you sure you don't mean /etc/dnsmasq.conf?

 

[s_Fanous]

Are you sure you don't mean /etc/dnsmasq.conf?

admin@AsusRTAC68U:/tmp# more resolv.conf
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 127.0.1.1

admin@AsusRTAC68U:/tmp# more resolv.dnsmasq
server=127.0.1.1