Please remove Invasive ASUS data harvesting feature from Asuswrt-Merlin

[junkacc]

Hello,

It appears that ASUS is tracking everyone (to some extent), and mapping/profiling the networks behind their consumer products. Every last machine on the network, by communicating with my router (RT-AC66U), is being instructed by the router (by default) to connect to "router.asus.com". Unfortunately, before "router.asus.com" is redirected the local address/network, communication is first established to a remote ASUS IP address "103.10.4.99" (click IP address for tcpiputils page on it), which then connects to an application running on Amazon Web Services at IP address "54.202.251.7" (http://ec2-54-202-251-7.us-west-2.compute.amazonaws.com/find/router.html), before finally redirecting.

This is also the address (router.asus.com) that you are instructed to connect to in order to access the router interface, if for some reason you decide you do not want to use the default 192.168.0.1 - meaning, this is some optional feature that ASUS is providing via an external remote service.

Also under the administrative settings within the router, no matter what you set the routers administrative IP for (eg: 192.168.0.1) over http/https, "router.asus.com" is still hardcoded. There is an indication when you switch the method to https, and it will show https://router.asus.com:8443 next to the port # for https. But its the same for http too (http://router.asus.com), even though it doesn't show this indicator. All the while you can still connect over the traditional, direct method via http://192.168.0.1 or https

This seems a bit invasive, and unnecessary. The router should be broadcasting its own addresses (eg: 192.168.0.1/24), not a domain owned by ASUS.

Merlin, can you please fix this invasive feature of the ASUS firmware in your modified firmware releases, and change all instances where this appears in the firmware to the respective relative local address (unless its something that can just be removed), for the benefit of the ASUS router product owners (not just the ones who value their privacy) who trust in your modified firmware releases. Anything related to router.asus.com should have no business in the firmware.

 

[mstombs]

Don't know about amazon, but are you using asus.com ddns?

Re router.asus.com, this is handled by the router itself, from windows lan pc, in my case:-

C:\Users\>nslookup router.asus.com
Server:  router.asus.com
Address:  192.168.66.1

Name:    router.asus.com
Address:  192.168.66.1

It uses /etc/hosts , you should find you can also use www.asusnetwork.net, www.asusrouter.com or your router name RT-N66U.lan in my case

 

[Shonk]

i removed the hard coding on mine
just for giggles just now i went to router.asus.com

what worrys me is
after a few seconds it managed to redirect me to my router

it stalls for a few seconds on findasus.local

 

[RMerlin]

Completely removing router.asus.com is impossible, it's used throughout the firmware.

If you use your router as a DNS server, then router.asus.com will point you at your router, and you will never access any remote server. The reason for the Amazon web site is probably just so that people who do NOT use their router as a DNS server or have things misconfigured can still be redirected somewhere meaningful.

Asus isn't doing this to be invasive or anything, they are doing this so novice users don't have to guess what IP address to use. The web service is only a fallback method for people not using their router as a DNS. There's nothing to support the theory that this is doing any form of data harvesting, especially since the vast majority of users will never ever reach that remote server. If Asus had intended to do any data farming, they wouldn't point that hostname at your router's IP by default.

What I did change however in recent development is allow to disable the NEW forced redirection to router.asus.com that is being added by Asus in 380_3264. Because this behaviour can cause a problem if you have two different routers on your LAN.

 

[System Error Message]

if it helps @RMerlin could perform sniffing as he has just about every model of ASUS router he supports just to prove it.

 

[junkacc]

Thanks for the response Merlin. An option to allow users to disable this would be good too )

However, the hostname router.asus.com doesn't point to the routers IP by default, at least not on my RT-AC66U using your 380.59 firmware revision.

nslookup router.asus.com (returns the following)
Server: <redacted>
Address: <redacted>

Non-authoritative answer:
Name: router.asus.com
Address: 103.10.4.99

also the ping command returns the same 103.10.4.99 IP address (Pinging router.asus.com [103.10.4.99] with 32 bytes of data ... ), which is the same IP address router.asus.com is registered under all databases online. Essentially any other command you can imagine, only returns this IP and no local IP anywhere.

Connecting to router.asus.com in any browser does not resolve a local LAN IP in any way - ever, it goes straight to 103.10.4.99 and then to the amazon service at 54.202.251.7 which is hosting an ASUS web application (you can see in Shonks screenshot provided above)

http://www.tcpiputils.com/browse/ip-address/103.10.4.99
http://www.tcpiputils.com/browse/ip-address/54.202.251.7

Basically what I'm saying is that regardless of how router.asus.com is connected to via any machine on my network, it does not, under any circumstances, go to a local IP address.

And regardless of what type of data ASUS is collecting from this type of redirection trickery - whatever type of convenience service this is supposed to be - being a for profit company, its highly unlikely they are not monetizing from it somehow. Because this is essentially, a gold mine of data they are receiving each time the router solicits a device on the network to respond to router.asus.com every few minutes.

I hope this provides a bit more details of the issue that I am experiencing.

 

[Fitz Mutch]

If TOR is running on my router how would I tell it to redirect "router.asus.com" to 192.168.1.1? TOR doesn't check the /etc/hosts file because I already have it in there and it's not using it. I cannot use Dnsmasq because it is configured for regular DNS lookups, not TOR DNS. I'm the only one on the local network using TOR for DNS lookups and Internet, and everyone else uses regular Internet. Does TOR have an /etc/hosts or similar file that it obeys?

C:\> nslookup router.asus.com

Non-authoritative answer:
Name:    router.asus.com
Address:  103.10.4.99

$ whois 103.10.4.99

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '103.10.4.0 - 103.10.7.255'

inetnum:        103.10.4.0 - 103.10.7.255
netname:        ASUS-NET
descr:          ASUSTek COMPUTER INC.
descr:          No.15, Lide Rd., Beitou Dist.,
descr:          Taipei Taiwan 112
country:        TW
admin-c:        NA272-AP
tech-c:         NA272-AP
status:         ALLOCATED PORTABLE
mnt-by:         MAINT-TW-TWNIC
mnt-lower:      MAINT-TW-TWNIC
mnt-irt:        IRT-TWNIC-AP
changed:        hm-changed@apnic.net 20111024
source:         APNIC

irt:            IRT-TWNIC-AP
address:        Taipei, Taiwan, 100
e-mail:         hostmaster@twnic.net.tw
abuse-mailbox:  hostmaster@twnic.net.tw
admin-c:        TWA2-AP
tech-c:         TWA2-AP
auth:           # Filtered
remarks:        Please note that TWNIC is not an ISP and is not empowered
remarks:        to investigate complaints of network abuse.
mnt-by:         MAINT-TW-TWNIC
changed:        hostmaster@twnic.net.tw 20101108
source:         APNIC

person:         Network Admin
nic-hdl:        NA272-AP
e-mail:         netadmin@asus.com.tw
address:        15,Li-Te Rd., Peitou, Taipei 112, Taiwan
address:        Taipei, 112, R.O.C
phone:          +886-2-2894-3447 ext. 1885
fax-no:         +886-2-2896-9167
country:        TW
changed:        sino_chen@asus.com 20111024
mnt-by:         MAINT-TW-TWNIC
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

 

[john9527]

If you do anything that bypasses using dnsmasq on the router for DNS lookups (Parental Controls>DNS Filter, VPN client DNS exclusive mode with clients bypassing the VPN) the lookups will go out to those specified servers. To make sure you always go to the router add an entry to your clients' hosts file for router.asus.com that points to the router IP.

 

[Fitz Mutch]

It fixed my issue when using TOR as a VPN. Thank you.

C:\Windows\System32\drivers\etc\hosts

127.0.0.1       router.asus.com
127.0.0.1       localhost
127.0.0.1 dns.msftncsi.com
127.0.0.1 ipv6.msftncsi.com
127.0.0.1 msftncsi.com
127.0.0.1 www.msftncsi.com
127.0.0.1 a.ads1.msn.com
127.0.0.1 a.ads2.msads.net
127.0.0.1 a.ads2.msn.com
127.0.0.1 a.rad.msn.com
127.0.0.1 a-0001.a-msedge.net
127.0.0.1 a-0002.a-msedge.net
127.0.0.1 a-0003.a-msedge.net
127.0.0.1 a-0004.a-msedge.net
127.0.0.1 a-0005.a-msedge.net
127.0.0.1 a-0006.a-msedge.net
127.0.0.1 a-0007.a-msedge.net
127.0.0.1 a-0008.a-msedge.net
127.0.0.1 a-0009.a-msedge.net
127.0.0.1 ac3.msn.com
127.0.0.1 adnexus.net
127.0.0.1 adnxs.com
127.0.0.1 ads.msn.com
127.0.0.1 ads1.msads.net
127.0.0.1 ads1.msn.com
127.0.0.1 aidps.atdmt.com
127.0.0.1 aka-cdn-ns.adtech.de
127.0.0.1 a-msedge.net
127.0.0.1 apps.skype.com
127.0.0.1 az361816.vo.msecnd.net
127.0.0.1 az512334.vo.msecnd.net
127.0.0.1 b.ads1.msn.com
127.0.0.1 b.ads2.msads.net
127.0.0.1 b.rad.msn.com
127.0.0.1 bs.serving-sys.com
127.0.0.1 c.atdmt.com
127.0.0.1 c.msn.com
127.0.0.1 cdn.atdmt.com
127.0.0.1 cds26.ams9.msecn.net
127.0.0.1 choice.microsoft.com
127.0.0.1 choice.microsoft.com.nsatc.net
127.0.0.1 compatexchange.cloudapp.net
127.0.0.1 corp.sts.microsoft.com
127.0.0.1 corpext.msitadfs.glbdns2.microsoft.com
127.0.0.1 cs1.wpc.v0cdn.net
127.0.0.1 db3aqu.atdmt.com
127.0.0.1 df.telemetry.microsoft.com
127.0.0.1 diagnostics.support.microsoft.com
127.0.0.1 ec.atdmt.com
127.0.0.1 fe2.update.microsoft.com.akadns.net
127.0.0.1 feedback.microsoft-hohm.com
127.0.0.1 feedback.search.microsoft.com
127.0.0.1 feedback.windows.com
127.0.0.1 flex.msn.com
127.0.0.1 g.msn.com
127.0.0.1 h1.msn.com
127.0.0.1 i1.services.social.microsoft.com
127.0.0.1 i1.services.social.microsoft.com.nsatc.net
127.0.0.1 lb1.www.ms.akadns.net
127.0.0.1 live.rads.msn.com
127.0.0.1 m.adnxs.com
127.0.0.1 m.hotmail.com
127.0.0.1 msedge.net
127.0.0.1 msnbot-65-55-108-23.search.msn.com
127.0.0.1 msntest.serving-sys.com
127.0.0.1 oca.telemetry.microsoft.com
127.0.0.1 oca.telemetry.microsoft.com.nsatc.net
127.0.0.1 pre.footprintpredict.com
127.0.0.1 preview.msn.com
127.0.0.1 pricelist.skype.com
127.0.0.1 rad.live.com
127.0.0.1 rad.msn.com
127.0.0.1 redir.metaservices.microsoft.com
127.0.0.1 reports.wes.df.telemetry.microsoft.com
127.0.0.1 s.gateway.messenger.live.com
127.0.0.1 s0.2mdn.net
127.0.0.1 schemas.microsoft.akadns.net
127.0.0.1 secure.adnxs.com
127.0.0.1 secure.flashtalking.com
127.0.0.1 services.wes.df.telemetry.microsoft.com
127.0.0.1 settings-sandbox.data.microsoft.com
127.0.0.1 settings-win.data.microsoft.com
127.0.0.1 sls.update.microsoft.com.akadns.net
127.0.0.1 sqm.df.telemetry.microsoft.com
127.0.0.1 sqm.telemetry.microsoft.com
127.0.0.1 sqm.telemetry.microsoft.com.nsatc.net
127.0.0.1 static.2mdn.net
127.0.0.1 statsfe1.ws.microsoft.com
127.0.0.1 statsfe2.update.microsoft.com.akadns.net
127.0.0.1 statsfe2.ws.microsoft.com
127.0.0.1 survey.watson.microsoft.com
127.0.0.1 telecommand.telemetry.microsoft.com
127.0.0.1 telecommand.telemetry.microsoft.com.nsatc.net
127.0.0.1 telemetry.appex.bing.net
127.0.0.1 telemetry.microsoft.com
127.0.0.1 telemetry.urs.microsoft.com
127.0.0.1 view.atdmt.com
127.0.0.1 vortex.data.microsoft.com
127.0.0.1 vortex-bn2.metron.live.com.nsatc.net
127.0.0.1 vortex-cy2.metron.live.com.nsatc.net
127.0.0.1 vortex-sandbox.data.microsoft.com
127.0.0.1 vortex-win.data.microsoft.com
127.0.0.1 watson.live.com
127.0.0.1 watson.microsoft.com
127.0.0.1 watson.ppe.telemetry.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com.nsatc.net
127.0.0.1 wes.df.telemetry.microsoft.com

 

[junkacc]

I found a similar unanswered question in another subforum here

http://www.snbforums.com/threads/router-asus-com-redirects.20424/

The user stated that the issue ended up being related to the VPN service that they were using. I would like to add that once I had disabled my VPN service, router.asus.com started translating to the local LAN address of the router. When I re-enabled it, the aforementioned behavior resumes. So having an option to disable this on the router itself, def sounds like a good idea.

Coincidentally, as Fitz Mutch has stated above, I was coming back to post about adding the LAN IP router.asus.com -or- 127.0.0.1 router.asus.com in the hosts file as temporary mitigation to the issue.

 

[sfx2000]

Completely removing router.asus.com is impossible, it's used throughout the firmware.

Agree - and there's places that it'll break even if router.asus.com was in /etc/hosts and resolved to just the router...

 

[RMerlin]

Because this is essentially, a gold mine of data they are receiving each time the router solicits a device on the network to respond to router.asus.com every few minutes.

Every last machine on the network, by communicating with my router (RT-AC66U), is being instructed by the router (by default) to connect to "router.asus.com".

There's no relation at all between the router, its "solicitation" of LAN devices (not sure what you mean by that) and the router.asus.com hostname. Clients aren't instructed by the router to connect to this hostname. It's just a hostname, nothing more. It's not a service, it's not a callback feature either.

Asus certainly isn't getting a gold mine of data for the minuscule amount of clients that actually a) use that hostname, b) bypass the router's dns server. You do realize that they get more data from you when you access their support site to download a new firmware?

 

[kvic]

And regardless of what type of data ASUS is collecting from this type of redirection trickery - whatever type of convenience service this is supposed to be - being a for profit company, its highly unlikely they are not monetizing from it somehow. Because this is essentially, a gold mine of data they are receiving each time the router solicits a device on the network to respond to router.asus.com every few minutes.

I hope this provides a bit more details of the issue that I am experiencing.

Frankly I think you spin what you see out of proportion.

Every last machine on the network, by communicating with my router (RT-AC66U), is being instructed by the router (by default) to connect to "router.asus.com".

This is certainly not true. The issue happened to you is likely due to misconfig of DNS...maybe using functionalities such as DNS filter, policy based routing and/or dnscrypt-proxy type of things.

The crux is that Asus registers "router.asus.com" publicly and resolves properly outside a private LAN. Their intention is to provide smooth user experience.

I would bet Asus stock firmware is always setup to resolve "router.asus.com" locally by your router. Hence, in no chance you'll reach out to the world by that host name. When it does, it actually indicates some sort of router setup issues on your LAN.

When it falls back to the public "router.asus.com", I bet it simply load a page with client side scripting and in its best effort to detect on what private IP your router is listening, and redirect you there...because when you access "router.asus.com", you want to reach to your router to begin with, right? Feel free to scrutinise the client side scripting on the redirection page, and prove me wrong..

Its an intelligence piece of "cloud application" IMO. So it's time to look into router config if you consistently reach out to the world with "router.asus.com."

 

[RMerlin]

That kind of redirection isn't unusual either. QNAP has been using it for the initial configuration of their NAS products since quite some time already.

 

[sfx2000]

That kind of redirection isn't unusual either. QNAP has been using it for the initial configuration of their NAS products since quite some time already.

Many other vendors beyond QNAP and Asus do this - at least these two vendors are pretty clear about it and why they do it.

 

[princi]

I don't like the redirection either. It causes a problem with the Astrill Router applet.

Normally, the applet is loaded within a frame to the right of the routers commands (tiles if you want)

When router.asus.com/user/astrill.asp is loaded, it's in its own window.

 

[thelonelycoder]

What I did change however in recent development is allow to disable the NEW forced redirection to router.asus.com that is being added by Asus in 380_3264. Because this behaviour can cause a problem if you have two different routers on your LAN.

Thanks a lot for this!