DoT setup: some traffic over port 53 (trend micro.com)

[Chuckles67]

Using Asus AC66U-B1 with Merlin 384.17.

WAN > DoT setup using the DNS Privacy wiki to Cloudflare DNS servers; LAN > DNSFilter set to "Router" with no Client List entries. I'm using AiProtection/Trend Micro to enable Adaptive QoS with FreshJR script installed.

Using tcpdump to inspect traffic on WAN: I'm seeing very occasional traffic on port 53 to what looks like trend micro servers. Is this normal or expected router traffic?

admin@RT-AC66U_B1-8300:/tmp/home/root# tcpdump -i eth0 -p port 53 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:19:35.509133 IP XX.XX.XXX.XXX.43971 > 1.1.1.1.53: 162+ AAAA? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
14:19:35.520725 IP 1.1.1.1.53 > XX.XX.XXX.XXX.43971: 162 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (260)
14:19:35.521151 IP XX.XX.XXX.XXX.59361 > 1.1.1.1.53: 163+ AAAA? gslb6.fbs.trendmicro.com.akadns.net. (53)
14:19:35.531077 IP 1.1.1.1.53 > XX.XX.XXX.XXX.59361: 163 4/0/0 CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (219)
14:19:35.531500 IP XX.XX.XXX.XXX.56413 > 1.1.1.1.53: 164+ AAAA? aws-prod.fbs25.trendmicro.com. (47)
14:19:35.542301 IP 1.1.1.1.53 > XX.XX.XXX.XXX.56413: 164 3/0/0 CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (167)
14:19:35.542754 IP XX.XX.XXX.XXX.34718 > 1.1.1.1.53: 165+ AAAA? fbs.prod.spn.a1q7.net. (39)
14:19:35.553718 IP 1.1.1.1.53 > XX.XX.XXX.XXX.34718: 165 2/0/0 AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (116)
14:19:35.554582 IP XX.XX.XXX.XXX.37235 > 1.1.1.1.53: 166+ A? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
14:19:35.568129 IP 1.1.1.1.53 > XX.XX.XXX.XXX.37235: 166 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., A 44.233.111.149, A 44.233.140.104 (236)
14:19:35.866671 IP XX.XX.XXX.XXX.41884 > 1.1.1.1.53: 167+ AAAA? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
14:19:35.882494 IP 1.1.1.1.53 > XX.XX.XXX.XXX.41884: 167 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (260)
14:19:35.883264 IP XX.XX.XXX.XXX.37231 > 1.1.1.1.53: 168+ AAAA? gslb6.fbs.trendmicro.com.akadns.net. (53)
14:19:35.893925 IP 1.1.1.1.53 > XX.XX.XXX.XXX.37231: 168 4/0/0 CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (219)
14:19:35.894578 IP XX.XX.XXX.XXX.49116 > 1.1.1.1.53: 169+ AAAA? aws-prod.fbs25.trendmicro.com. (47)
14:19:35.906899 IP 1.1.1.1.53 > XX.XX.XXX.XXX.49116: 169 3/0/0 CNAME fbs.prod.spn.a1q7.net., AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444, AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e (167)
14:19:35.907465 IP XX.XX.XXX.XXX.51696 > 1.1.1.1.53: 170+ AAAA? fbs.prod.spn.a1q7.net. (39)
14:19:35.918196 IP 1.1.1.1.53 > XX.XX.XXX.XXX.51696: 170 2/0/0 AAAA 2600:1f14:9ae:ce01:f2f5:3a2f:1503:883e, AAAA 2600:1f14:9ae:ce03:f74d:285f:a674:b444 (116)
14:19:35.918997 IP XX.XX.XXX.XXX.55353 > 1.1.1.1.53: 171+ A? ntd-asus-2014b-en.fbs20.trendmicro.com. (56)
14:19:35.930381 IP 1.1.1.1.53 > XX.XX.XXX.XXX.55353: 171 5/0/0 CNAME gslb6.fbs.trendmicro.com.akadns.net., CNAME aws-prod.fbs25.trendmicro.com., CNAME fbs.prod.spn.a1q7.net., A 44.233.140.104, A 44.233.111.149 (236)

(XX.XX.XXX.XXX is my WAN IP)

 

[ColinTaylor]

Using tcpdump to inspect traffic on WAN: I'm seeing very occasional traffic on port 53 to what looks like trend micro servers. Is this normal or expected router traffic?

Yes. In the recommended configuration LAN clients use DoT but the router still uses normal DNS (otherwise it may fail to boot properly).

 

[Chuckles67]

Thanks Colin.

 

[JJohnson1988]

It's only the AiProtection feature that does this (at least from what I've noticed). Since I don't need this feature to contact the Trend Micro servers, I was able to stop these non-DoT requests by setting the WAN DNS server to 192.168.50.1. This way DoT continues to work properly and the request over port 53 never actually happens.

 

[dave14305]

It's only the AiProtection feature that does this (at least from what I've noticed). Since I don't need this feature to contact the Trend Micro servers, I was able to stop these non-DoT requests by setting the WAN DNS server to 192.168.50.1. This way DoT continues to work properly and the request over port 53 never actually happens.

It’s probably better to set Tools / Other Settings page “Wan: Use local caching DNS server as system resolver” to Yes instead of misusing the WAN DNS fields.

 

[JJohnson1988]

It’s probably better to set Tools / Other Settings page “Wan: Use local caching DNS server as system resolver” to Yes instead of misusing the WAN DNS fields.

That's not a bad idea. I hadn't thought of that. Thanks.