• March 28, 2024, 03:00:26 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: 1 [2]

Author Topic: DIR-885L Phoning Home  (Read 16706 times)

RYAT3

  • Level 10 Member
  • *****
  • Posts: 2254
Re: DIR-885L Phoning Home
« Reply #15 on: January 09, 2020, 03:07:14 PM »

So this is only when you log into the admin pages for the router?

I could see it checking on the date/time, but that's kind of crazy.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-885L Phoning Home
« Reply #16 on: January 11, 2020, 03:15:37 PM »

If you seem to exhibit or continue to see problems, please factory reset and setup from scratch to confirm if problems continue or not.

Thank you.

Was curious if you had any updates on this?
Have you tried v1.21 FW version?

I've recently install Firmware 1.21B03 BETA. No change, it's still phoning home. I've purchased some hardware that will allow me to do some packet sniffing, but haven't had the opportunity to do so. When I get around to it, I let you know what I find.

Larry ....
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

LarryNOTtheCableGuy

  • Level 2 Member
  • **
  • Posts: 56
Re: DIR-885L Phoning Home
« Reply #17 on: January 12, 2020, 09:26:34 AM »

So this is only when you log into the admin pages for the router?

I could see it checking on the date/time, but that's kind of crazy.
The router checks the date/time on a regular basis, at a reasonable interval, whether you're logged into its admin pages or not. My impression (haven't done any exhaustive testing) is that it starts to phone home at an alarming rate (100s of time per minute) only when you access the Connected Clients page. Again, I haven't gone looking for any other triggers at this point.

If it's simply trying to look up the manufacturer for each connected device (i.e., matching mac addresses to manufactures), that's not a big problem. However, it's doing this via the US, Taiwan and China motherships, and unsuccessfully in many cases. If it's doing something more nefarious, that's a problem.

Larry ....
Logged
DSL-520B  HW:T2 FW:1.12NA
DIR-885L  HW:A1  FW:1.21B03
DGS-108  HW:B1
DCS-5020L  HW:A1  FW:1.16.01

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-885L Phoning Home
« Reply #18 on: January 12, 2020, 04:19:25 PM »

I'll have D-Link look into this again...
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Re: DIR-885L Phoning Home
« Reply #19 on: January 13, 2020, 08:22:00 AM »

OK I am assuming you have the default gateway on your clients pointing to the pi-hole. Is DHCP enabled on the pi-hole (and disabled on the router)?

If you are showing a large amount of traffic from source IP of the router, this is normal. This is not the router making all these requests. You are basically creating a double-NAT without the NAT with the pi-hole so what you are seeing is your client making a request going to the pi-hole for DNS resolution, then going through the router to the internet. When the traffic comes back to the client, it is hitting the router, the router then has to send it back to pi-hole and then to the client.

I wouldn't worry too much about this. If you put a sniffer on the WAN side and remove the pi-hole but still see this traffic, then there may be an issue.
Logged

LarryNOTtheCableGuy

  • Level 2 Member
  • **
  • Posts: 56
Re: DIR-885L Phoning Home
« Reply #20 on: January 13, 2020, 09:47:56 AM »

OK I am assuming you have the default gateway on your clients pointing to the pi-hole. Is DHCP enabled on the pi-hole (and disabled on the router)?

If you are showing a large amount of traffic from source IP of the router, this is normal. This is not the router making all these requests. You are basically creating a double-NAT without the NAT with the pi-hole so what you are seeing is your client making a request going to the pi-hole for DNS resolution, then going through the router to the internet. When the traffic comes back to the client, it is hitting the router, the router then has to send it back to pi-hole and then to the client.

I wouldn't worry too much about this. If you put a sniffer on the WAN side and remove the pi-hole but still see this traffic, then there may be an issue.

My router is configured so that it's pointing to my ISP as the default gateway and DHCP is enabled. I'm not using pi-hole for DHCP. However, I do have it setup with unbound as a recursive, authenticating DNS server. My network is setup with a double-NAT; one in the DSL modem, and one in the router. Finally, all of the devices on my network are assigned static IP addresses, and the hosts file on the RPi running pi-hole has been populated so that pi-hole displays human readable names for each device (as opposed to just IP addresses).

pi-hole displays the DNS requests for each device on the network. I can see what each device, including the router, is requesting. When I access the router's Connected Clients admin page, the router starts generating 100s of request per minute for the following URLs: www.dlink.com, dlink.com, www.dlink.com.tw, dlink.com.tw, www.dlink.com.cn, and dlink.com.cn. I've just confirmed that no other admin page displays this behaviour. I've blacklisted the latter 4 URLs.

« Last Edit: January 13, 2020, 10:23:33 AM by LarryNOTtheCableGuy »
Logged
DSL-520B  HW:T2 FW:1.12NA
DIR-885L  HW:A1  FW:1.21B03
DGS-108  HW:B1
DCS-5020L  HW:A1  FW:1.16.01

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Re: DIR-885L Phoning Home
« Reply #21 on: January 13, 2020, 09:54:26 AM »

oh strange. OK. I am assuming that some of that mydlink traffic is connecting to databases to resolve client's vendor information/name. So when you leave the connected clients page it stops?
Logged

LarryNOTtheCableGuy

  • Level 2 Member
  • **
  • Posts: 56
Re: DIR-885L Phoning Home
« Reply #22 on: January 13, 2020, 10:20:20 AM »

oh strange. OK. I am assuming that some of that mydlink traffic is connecting to databases to resolve client's vendor information/name. So when you leave the connected clients page it stops?

I'm going to have to walk back a bit of what I just said. This behaviours occurs with more than just the Connected Clients page. While I was typing my last message I accessed all of the router's admin pages except for the Connected Clients page. pi-hole is reporting that the router generated 420 DNS requests in a 10-minute period; most of the requests being for the URLs listed above.

I agree that some of the requests might be for vendor information, but I'm thinking it's likely more than that. Regardless of what it's doing, it appears to be doing it in a very inefficient manner.

Larry ....
Logged
DSL-520B  HW:T2 FW:1.12NA
DIR-885L  HW:A1  FW:1.21B03
DGS-108  HW:B1
DCS-5020L  HW:A1  FW:1.16.01

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Re: DIR-885L Phoning Home
« Reply #23 on: January 13, 2020, 11:23:03 AM »

If you un-blacklist the blocked URLs does it still request at a high rate?  Since you blocked it, the router is probably re-trying to connect to mydlink and not hearing back.
« Last Edit: January 13, 2020, 11:28:05 AM by GreenBay42 »
Logged

LarryNOTtheCableGuy

  • Level 2 Member
  • **
  • Posts: 56
Re: DIR-885L Phoning Home
« Reply #24 on: January 13, 2020, 11:50:14 AM »

If you un-blacklist the blocked URLs does it still request at a high rate?  Since you blocked it, the router is probably re-trying to connect to mydlink and not hearing back.

I haven't tested this, but I don't think blacklisting the URLs has any effect on the rate. Of the six URLs I've listed above, only four are blacklisted. The DNS request rate for all six is identical, even when some are blacklisted.

Just one more data point. Included in this spike in router activity are DNS requests for www.google.com, google.com, www.mydlink.com and mydlink.com. Each of the 10 URLs appear to be requested at the same rate.

Larry ....
Logged
DSL-520B  HW:T2 FW:1.12NA
DIR-885L  HW:A1  FW:1.21B03
DGS-108  HW:B1
DCS-5020L  HW:A1  FW:1.16.01

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-885L Phoning Home
« Reply #25 on: February 21, 2020, 08:18:30 AM »

FYI, Security update for the DIR-885L:
http://forums.dlink.com/index.php?topic=75404.0
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

dg_102

  • Level 1 Member
  • *
  • Posts: 10
Re: DIR-885L Phoning Home
« Reply #26 on: July 16, 2020, 10:23:14 AM »

I can confirm that the router send requests to:

2020-07-16 12:50:31    AAAA   www.dlink.com.cn
2020-07-16 12:50:31    A   dlink.com.tw

I am also using pi-hole on a local server as my DNS.
I just blocked those in Pi-Hole with the blacklist regular expression.

dg
Logged
Pages: 1 [2]