Skynet Skynet showing router itself making calls to China?

[Skywise]

A couple weeks back I discovered I could do country blocking in Skynet (nice feature, thanks) and blocked China on my router. Checked it a few days ago and saw 2 devices trying to hit China. A few dozen from my Philips Hue controller, which is a known issue amazingly enough as it's hitting a time server in China?! (not anymore!). The other device? My Asus router! I'm up to date on the firmware, never allowed WAN access on the control, etc; But it's still possible I could've been hacked somehow... So I did a router rebuild over the weekend, saved the config, restored factory defaults, reloaded the config and then proceeded to resetup the JFFS partition, built the swap partition and reinstalled everything - although I did NOT format the JFFS. I'm still seeing the router trying to reach China.

(The Unknown here is my Philips Hue before I got the DHCP tables restored)
Aside from Merlin's firmware the only thing I've got installed is unbound, skynet and merlin's ntp. All game stuff, Ai Protection, etc; is disabled (and opted out of sharing the info).

I don't THINK I'm hacked - but I'm not sure what's making these calls?

 

[jerry6]

reloaded the config ??

 

[L&LD]

Most likely, the antivirus Asus has builtin.

 

[jerry6]

Most likely, the antivirus Asus has builtin.

interesting I will check this out see if i get the same results

 

[dave14305]

I don't THINK I'm hacked - but I'm not sure what's making these calls?

It’s probably Unbound trying to resolve a name where the authoritative server is in China. Skynet’s logs can tell you what IP and port were blocked.

 

[Skywise]

reloaded the config ??

Sorry - "restored" the config in the Admin tab.

 

[Skywise]

Most likely, the antivirus Asus has builtin.

But I've got all of that turned off. Maybe something to do with the gamelan stuff? (that's also off - but the settings page tries to ping certain sites to determine ping rates/speeds)

 

[Viktor Jaep]

It’s probably Unbound trying to resolve a name where the authoritative server is in China. Skynet’s logs can tell you what IP and port were blocked.

@Skywise... this! I've got china blocked as well, and if you look at your syslogs, you'll see a host of "blocked outbounds" going to Chinese DNS authoritative servers because Unbound doesn't know any better, and just keeps trying every so often.

 

[L&LD]

No, you can't turn this one off. No GUI option to do so.

 

[Skywise]

@Skywise... this! I've got china blocked as well, and if you look at your syslogs, you'll see a host of "blocked outbounds" going to Chinese DNS authoritative servers because Unbound doesn't know any better, and just keeps trying every so often.

May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=140.205.122.133 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=43266 PROTO=UDP SPT=63081 DPT=53 LEN=52
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=106.11.35.29 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=50923 PROTO=UDP SPT=29185 DPT=53 LEN=52
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=106.11.41.153 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=18776 PROTO=UDP SPT=64370 DPT=53 LEN=52
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=140.205.122.133 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=43325 PROTO=UDP SPT=48028 DPT=53 LEN=51
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=106.11.41.153 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=18779 PROTO=UDP SPT=31409 DPT=53 LEN=51
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=140.205.122.143 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=21812 PROTO=UDP SPT=61748 DPT=53 LEN=51
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=106.11.41.154 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=36510 PROTO=UDP SPT=15136 DPT=53 LEN=51
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=140.205.122.153 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=46499 PROTO=UDP SPT=30481 DPT=53 LEN=51

Looks it - is there no way to configure the DNS authoritative servers that Unbound uses?

 

[dave14305]

is there no way to configure the DNS authoritative servers that Unbound uses?

Authoritative servers for a domain are determined by the individual domain owner. If you don't want recursive resolving, just go back to dnsmasq. Tradeoffs.

Better yet, figure out which domains are resulting in SERVFAILs due to the blocking and block those domains in Unbound with a always_nxdomain (like ad-blocking).

 

[Viktor Jaep]

May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=140.205.122.133 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=43266 PROTO=UDP SPT=63081 DPT=53 LEN=52
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=106.11.35.29 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=50923 PROTO=UDP SPT=29185 DPT=53 LEN=52
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=106.11.41.153 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=18776 PROTO=UDP SPT=64370 DPT=53 LEN=52
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=140.205.122.133 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=43325 PROTO=UDP SPT=48028 DPT=53 LEN=51
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=106.11.41.153 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=18779 PROTO=UDP SPT=31409 DPT=53 LEN=51
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=140.205.122.143 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=21812 PROTO=UDP SPT=61748 DPT=53 LEN=51
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=106.11.41.154 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=36510 PROTO=UDP SPT=15136 DPT=53 LEN=51
May 20 18:06:24 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=[My Router External Ip] DST=140.205.122.153 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=46499 PROTO=UDP SPT=30481 DPT=53 LEN=51

Looks it - is there no way to configure the DNS authoritative servers that Unbound uses?

Not to my knowledge, but perhaps I'll learn something.

 

[SomeWhereOverTheRainBow]

Not to my knowledge, but perhaps I'll learn something.

Here is one way...

/usr/sbin/iptables -t raw -I PREROUTING -p udp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list eth0 | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT
/usr/sbin/iptables -t raw -I PREROUTING -p tcp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list eth0 | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT

Note the above is assuming eth0 is your wan interface.
It can be adjusted further:

/usr/sbin/iptables -t raw -I PREROUTING -p udp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT
/usr/sbin/iptables -t raw -I PREROUTING -p tcp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT

You can place this in firewall-start script. It is important to make sure it runs after skynet runs.

 

[Skywise]

Here is one way...

/usr/sbin/iptables -t raw -I PREROUTING -p udp --sport 1024:65535 --dport 53 -s "$(ifconfig eth0 | awk '/inet / {split($2, ip, "/"); print ip[1]}')" -j ACCEPT
/usr/sbin/iptables -t raw -I PREROUTING -p tcp --sport 1024:65535 --dport 53 -s "$(ifconfig eth0 | awk '/inet / {split($2, ip, "/"); print ip[1]}')" -j ACCEPT

Note the above is assuming eth0 is your wan interface.
It can be adjusted further:

/usr/sbin/iptables -t raw -I PREROUTING -p udp --sport 1024:65535 --dport 53 -s "$(ifconfig $(nvram get wan_ifname) | awk '/inet / {split($2, ip, "/"); print ip[1]}')" -j ACCEPT
/usr/sbin/iptables -t raw -I PREROUTING -p tcp --sport 1024:65535 --dport 53 -s "$(ifconfig $(nvram get wan_ifname) | awk '/inet / {split($2, ip, "/"); print ip[1]}')" -j ACCEPT

You can place this in firewall-start script. It is important to make sure it runs after skynet runs.

Thanks - although skynet should "solve" the problem though?

 

[SomeWhereOverTheRainBow]

Thanks - although skynet should "solve" the problem though?

When you turn off your router, it is no longer handing your internet connection to your devices; does it then become the router manufactures job to "solve" your lack of internet connection dilemma? Depends on how you look at it. Using skynets default list and settings, you should be able to use unbound with no problems. It is easy to argue that you might be blocking too much. If you intend to block as much as you do, it is important to understand how it may impact your outbound connections. Unbound has an outbound port randomization (i.e. 1024:65535)- the ports leaving your connection will be randomized, all of which will reach the destination port 53 of an other wise undisclosed root server IP address. The problem is there is not a known list of IP addresses of all the servers, and unbound follows the path until it reaches the answer. You are welcome to piecemeal compile your own list root server IP by following skynets log for blocked connections, or simply make a single prerouting rule which allows for all ports in unbounds default outbound port range destined for port 53. When it comes to blocking via IP address, it is important to realize when you start blocking entire ASN or countries, you are bound to block an undisclosed root server IP address. IMHO skynet behaves as it should, although it wouldn't take @Adamm five seconds to make the necessary adjustments inside skynet to incorporate this logic.

 

[jerry6]

not seeing any China or ports open, I think I remember years ago I had this problem but have not seen it recently

 

[Twiglets]

@SomeWhereOverTheRainBow

From a quick check the awk part is returning 'addr:<IP ADDR>'
i.e. addr:192.168.1.1

Awk is like Emacs to me ..... a mystery from beyond !!!!!
I cannot work out the pattern to remove the 'addr:"

I will need your help !!!

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow

From a quick check the awk part is returning 'addr:<IP ADDR>'
i.e. addr:192.168.1.1

Awk is like Emacs to me ..... a mystery from beyond !!!!!
I cannot work out the pattern to remove the 'addr:"

I will need your help !!!

I have corrected the original post with a better command.

/usr/sbin/iptables -t raw -I PREROUTING -p udp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT
/usr/sbin/iptables -t raw -I PREROUTING -p tcp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT

 

[dave14305]

I will need your help !!!

You can also try a different approach, using these rules:

iptables -t raw -I OUTPUT -o eth0 -p tcp --dport 53 -j RETURN
iptables -t raw -I OUTPUT -o eth0 -p udp --dport 53 -j RETURN
iptables -t raw -I PREROUTING -i eth0 -p tcp --sport 53 -j RETURN
iptables -t raw -I PREROUTING -i eth0 -p udp --sport 53 -j RETURN

This should allow the outbound and reply traffic, in theory.

 

[SomeWhereOverTheRainBow]

You can also try a different approach, using this rule:

iptables -t raw -I OUTPUT -o eth0 -p tcp --dport 53 -j RETURN
iptables -t raw -I OUTPUT -o eth0 -p udp --dport 53 -j RETURN

I don’t think you need to fight with PREROUTING for DNS originating on the router.

Typically I would tend to agree with you to use the output chain instead of fighting with prerouting. Originally, I tried the output chain when I was writing the rules and I found that skynet's prerouting rules were still taking priority. Traffic destined for port 53 to blocked IP addresses was still getting blocked. My only solution was to place prerouting rules before skynets prerouting chains.