D-Link Forums

The Graveyard - Products No Longer Supported => Routers => DIR-885L => Topic started by: LarryNOTtheCableGuy on October 25, 2018, 11:18:43 AM

Title: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on October 25, 2018, 11:18:43 AM
A couple of weeks ago I installed a Pi Hole (whole house ad blocker) on my home network. Very easy to install and configure on a Raspberry Pi. Once I had it configured to identify which device was making each DNS request, I was shocked to see the number of times the DIR-885L router phoned home. A short test conducted just before starting this post showed it making 280 DNS requests in 5 minutes; the vast majority of which were for www.dlink.com, dlink.com, www.dlink.com.cn, dlink.com.cn, www.dlink.com.tw, dlink.com.tw, www.mydlink.com, and mydlink.com. It also made several requests for www.google.com and google.com (really?). Interestingly, this only occurs when accessing the router's web interface. The rest of the time it's reasonably quiet.

I get that from time to time the router needs to contact the D-Link NTP server and lookup manufacturers of connected devices, but this is ridiculous and frankly quite disconcerting. I can't image why it needs to do this, and am now wondering if information regarding my home network is being leaked to the mother ship (or worse). As a result, I've now blacklisted the China and Taiwan domains, and am seriously considering the same for the US domains. When I have time this winter I'll probably try flashing one of my spares with DD-WRT firmware (FurryNutz, if I run into trouble you'll be seeing me looking for help on dd-wrt.com forum). In the meantime it looks like I'm going to have to install a packet sniffer between my modem and router to see what, if any, information is being leaked. Will let you know what I find.
Title: Re: DIR-885L Phoning Home
Post by: hydra3333 on October 25, 2018, 05:17:07 PM
Eek.  I too wold like dlink's information on this.
Title: Re: DIR-885L Phoning Home
Post by: GreenBay42 on October 26, 2018, 07:49:13 AM
What firmware version do you have?

I assume the pi hole is on the LAN side so it cannot measure WAN to Internet traffic from the router.

Do you have any mydlink products on your network?

Let us know what your sniffer finds on the WAN side. I will forward this to a tech to look into also. And also the fact this mainly happens when connecting to the web UI is strange.

EDIT: More questions

Since I saw you have a mydlink camera on another thread, this is normal there is mydlink.com traffic. The camera (and router being a mydlink router) will send requests to mydlink servers.

How did you configure the DNS information on your router? Is DNS Relay enabled or disabled?

Is your pi hole handling dhcp for all your clients?

What DNS server(s) are you using on your pi hole?

Did you statically assign any IP settings/DNS on your clients?

If you blocked any of the mydlink domains/IP addresses, you will see more traffic since it needs to communicate with your mydlink devices (router and cameras) so it will keep requesting.




Title: Re: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on October 26, 2018, 11:15:23 AM
> What firmware version do you have?

v1.20 (latest released version)

> I assume the pi hole is on the LAN side so it cannot measure WAN to Internet traffic from the router.

Correct. As I said, I'm now looking at what hardware/software I need to monitor the WAN side of the router (e.g., managed switch and another Pi running Wireshark). This will take me a while.

> Do you have any mydlink products on your network?

None. Although I do have a mydlink account, this router is NOT logged into it.

> Let us know what your sniffer finds on the WAN side. I will forward this to a tech to look into also. And also the fact this mainly happens when connecting to the web UI is strange.

Will do. Many many thanks.

> EDIT: More questions

> Since I saw you have a mydlink camera on another thread, this is normal there is mydlink.com traffic. The camera (and router being a mydlink router) will send requests to mydlink servers.

The cameras are at a different location. As I indicated above, I'm not logged into my mydlink account on this router. Had I been, I wouldn't have included them in the list of domains.

> How did you configure the DNS information on your router? Is DNS Relay enabled or disabled?

DNS Relay is disabled on the router so that the Pi Hole can see which device is making each DNS request. The router is acting as the DHCP server on the network and all of the devices have been assigned static IP addresses.

> Is your pi hole handling dhcp for all your clients?

Not at this time.

> What DNS server(s) are you using on your pi hole?

The Pi Hole is passing DNS requests to my local ISP's primary and secondary DNS servers. I'm not using Google, CloudFare, OpenDNS, etc. I'm in Canada, so I'm also not using one of the US vertically-integrated conglomerates. Nor am I using any of the large Canadian providers (Bell, Telus, Rogers).

> Did you statically assign any IP settings/DNS on your clients?

Yes, clients have static IP addresses. The router's DHCP server passes the DNS server information to the clients. Currently, this is the internal address of my Pi.

> If you blocked any of the mydlink domains/IP addresses, you will see more traffic since it needs to communicate with your mydlink devices (router and cameras) so it will keep requesting.

It occurred to me that this might happen. However, with some or all listed domains blacklisted, there is no noticeable increase in the number of requests. Furthermore, there no noticeable difference in the operation of the router.

Again, thank you for looking into this. I'll definitely keep everyone informed as to what I find. Unfortunately it may be a while before I can get to it.

Larry ....
Title: Re: DIR-885L Phoning Home
Post by: GreenBay42 on October 26, 2018, 12:38:04 PM
Thanks for the information. I know mydlink devices will send requests to the mydlink servers even if not registered. It is kinda like "hey im a mydlink product am I registered" and the server will respond yes or no.  Not too sure about the google requests unless you have an android device or any google home/assistant products.

Definitely let us know your results. A couple techs are off today so we will look into this on Monday.

Have you contacted D-Link tech support?

If possible can you send me a list of domains/IP addresses it is sending? I can send to the engineers so they can verify them. You can PM me or I can give you an email address.
Title: Re: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on October 26, 2018, 02:54:40 PM
> Not too sure about the google requests unless you have an android device or any google home/assistant products.

There is one android phone in the house, and it's pretty chatty all on its own. Regardless, from my perspective that doesn't explain why the router needs to query  google.com when you access it's web interface.

Larry ....
Title: Re: DIR-885L Phoning Home
Post by: GreenBay42 on October 26, 2018, 03:13:49 PM
Well again the pi hole is on the LAN side of the router so it is not reporting outgoing traffic from the router to the Internet. The requests have to be from a device on the LAN and/or from the Internet to a device on the LAN. The router still inspects incoming traffic and then will send it to the pi hole. Does the pi hole report if it is incoming vs outgoing?
Title: Re: DIR-885L Phoning Home
Post by: Netrunner4Pizza on October 27, 2018, 09:20:28 AM
Maybe help shed light on this as i also run a PiHole, my topography is this:

Modem > DMZ > Dlink Router > everything else

Router pulls IP and Subnet via DHCP from Modem
Router points to PiHole for DNS
DNS is set to Cloudflare and DNS.WATCH
Router only has DHCP running for half of my subnet with itself as the DNS server.

Everything on my network runs though my PiHole and I've never seen a single call home from dlink since i started this up last year. Im on 1.20, Thu 28 Sep 2017 Firmware about to update to 1.21B03 I also have SecurityOnion on a passthrough on my modem & router (use my modem as a security layer for guests) decrypting and sniffing/logging all traffic. I am 100% confident the router is not calling home.

edit: clarification of SecOnion
Title: Re: DIR-885L Phoning Home
Post by: FurryNutz on October 27, 2018, 11:56:35 AM
Link>Welcome! (http://forums.dlink.com/index.php?topic=48135.0)




Maybe help shed light on this as i also run a PiHole, my topography is this:

Modem > DMZ > Dlink Router > everything else

Router pulls IP and Subnet via DHCP from Modem
Router points to PiHole for DNS
DNS is set to Cloudflare and DNS.WATCH
Router only has DHCP running for half of my subnet with itself as the DNS server.

Everything on my network runs though my PiHole and I've never seen a single call home from dlink since i started this up last year. Im on 1.20, Thu 28 Sep 2017 Firmware about to update to 1.21B03 I also have SecurityOnion on a passthrough on my modem & router (use my modem as a security layer for guests) decrypting and sniffing/logging all traffic. I am 100% confident the router is not calling home.

edit: clarification of SecOnion
Title: Re: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on October 27, 2018, 02:00:50 PM
> Well again the pi hole is on the LAN side of the router so it is not reporting outgoing traffic from the router to the Internet.

You're absolutely correct. And I'm the first to admit I have no idea about what's happening on the outgoing side of the router; thus my original comment regarding the installation of a packet sniffer between the modem and router (which I hope to get to in the fullness of time). I will also admit that I may have been somewhat "over-dramatic" with some of my wording.  ::)

> Does the pi hole report if it is incoming vs outgoing?

The Pi Hole is a forwarding DNS server, which simply intercepts all DNS lookup requests from devices on my network (including the router), and "blocks" any associated with ad servers, malware sites, etc. The remaining requests are passed through to my ISP's DNS servers. So all I'm seeing are DNS lookup requests; nothing else. And to the best of my knowledge, it's telling me that the router is requesting DNS lookups for the listed domains. But I have no idea what the router is doing after that.

I'm certainly not a networking expert, and have never done this for a living. Although I've been at it for about 15 years; everything I know about networking is self taught. I probably know just enough to be very dangerous.  :D

Larry ....
Title: Re: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on October 27, 2018, 02:39:06 PM
> Router pulls IP and Subnet via DHCP from Modem
> Router points to PiHole for DNS
> Router only has DHCP running for half of my subnet with itself as the DNS server.

If I read this correctly, you have a double-NAT setup. This is exactly the way my network is setup. Router is served a static IP address from the modem on a different subnet than all of the devices downstream of the router.

> Everything on my network runs though my PiHole and I've never seen a single call home from dlink since i started this up last year.

Question:  Can you see the router make any DNS requests (e.g., occasional lookup for NTP server)?

> I also have SecurityOnion ...

Never heard of SecurityOnion; thanks for bring it to my attention. Sucks that it won't run on a Pi.

Larry ....
Title: Re: DIR-885L Phoning Home
Post by: GreenBay42 on October 29, 2018, 07:13:16 AM
I am hoping to get a Pi Hole today to test this and get a better understanding of what is being logged.
Title: Re: DIR-885L Phoning Home
Post by: hydra3333 on June 29, 2019, 05:32:48 PM
what was the answer ?
Thanks
Title: Re: DIR-885L Phoning Home
Post by: FurryNutz on October 05, 2019, 12:30:51 PM
Was curious if you had any updates on this?
Have you tried v1.21 FW version?

A couple of weeks ago I installed a Pi Hole (whole house ad blocker) on my home network. Very easy to install and configure on a Raspberry Pi. Once I had it configured to identify which device was making each DNS request, I was shocked to see the number of times the DIR-885L router phoned home. A short test conducted just before starting this post showed it making 280 DNS requests in 5 minutes; the vast majority of which were for www.dlink.com, dlink.com, www.dlink.com.cn, dlink.com.cn, www.dlink.com.tw, dlink.com.tw, www.mydlink.com, and mydlink.com. It also made several requests for www.google.com and google.com (really?). Interestingly, this only occurs when accessing the router's web interface. The rest of the time it's reasonably quiet.

I get that from time to time the router needs to contact the D-Link NTP server and lookup manufacturers of connected devices, but this is ridiculous and frankly quite disconcerting. I can't image why it needs to do this, and am now wondering if information regarding my home network is being leaked to the mother ship (or worse). As a result, I've now blacklisted the China and Taiwan domains, and am seriously considering the same for the US domains. When I have time this winter I'll probably try flashing one of my spares with DD-WRT firmware (FurryNutz, if I run into trouble you'll be seeing me looking for help on dd-wrt.com forum). In the meantime it looks like I'm going to have to install a packet sniffer between my modem and router to see what, if any, information is being leaked. Will let you know what I find.
Title: Re: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on January 09, 2020, 01:12:52 PM
Was curious if you had any updates on this?
Have you tried v1.21 FW version?

I've recently install Firmware 1.21B03 BETA. No change, it's still phoning home. I've purchased some hardware that will allow me to do some packet sniffing, but haven't had the opportunity to do so. When I get around to it, I let you know what I find.

Larry ....
Title: Re: DIR-885L Phoning Home
Post by: RYAT3 on January 09, 2020, 03:07:14 PM
So this is only when you log into the admin pages for the router?

I could see it checking on the date/time, but that's kind of crazy.
Title: Re: DIR-885L Phoning Home
Post by: FurryNutz on January 11, 2020, 03:15:37 PM
If you seem to exhibit or continue to see problems, please factory reset and setup from scratch to confirm if problems continue or not.

Thank you.

Was curious if you had any updates on this?
Have you tried v1.21 FW version?

I've recently install Firmware 1.21B03 BETA. No change, it's still phoning home. I've purchased some hardware that will allow me to do some packet sniffing, but haven't had the opportunity to do so. When I get around to it, I let you know what I find.

Larry ....
Title: Re: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on January 12, 2020, 09:26:34 AM
So this is only when you log into the admin pages for the router?

I could see it checking on the date/time, but that's kind of crazy.
The router checks the date/time on a regular basis, at a reasonable interval, whether you're logged into its admin pages or not. My impression (haven't done any exhaustive testing) is that it starts to phone home at an alarming rate (100s of time per minute) only when you access the Connected Clients page. Again, I haven't gone looking for any other triggers at this point.

If it's simply trying to look up the manufacturer for each connected device (i.e., matching mac addresses to manufactures), that's not a big problem. However, it's doing this via the US, Taiwan and China motherships, and unsuccessfully in many cases. If it's doing something more nefarious, that's a problem.

Larry ....
Title: Re: DIR-885L Phoning Home
Post by: FurryNutz on January 12, 2020, 04:19:25 PM
I'll have D-Link look into this again...
Title: Re: DIR-885L Phoning Home
Post by: GreenBay42 on January 13, 2020, 08:22:00 AM
OK I am assuming you have the default gateway on your clients pointing to the pi-hole. Is DHCP enabled on the pi-hole (and disabled on the router)?

If you are showing a large amount of traffic from source IP of the router, this is normal. This is not the router making all these requests. You are basically creating a double-NAT without the NAT with the pi-hole so what you are seeing is your client making a request going to the pi-hole for DNS resolution, then going through the router to the internet. When the traffic comes back to the client, it is hitting the router, the router then has to send it back to pi-hole and then to the client.

I wouldn't worry too much about this. If you put a sniffer on the WAN side and remove the pi-hole but still see this traffic, then there may be an issue.
Title: Re: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on January 13, 2020, 09:47:56 AM
OK I am assuming you have the default gateway on your clients pointing to the pi-hole. Is DHCP enabled on the pi-hole (and disabled on the router)?

If you are showing a large amount of traffic from source IP of the router, this is normal. This is not the router making all these requests. You are basically creating a double-NAT without the NAT with the pi-hole so what you are seeing is your client making a request going to the pi-hole for DNS resolution, then going through the router to the internet. When the traffic comes back to the client, it is hitting the router, the router then has to send it back to pi-hole and then to the client.

I wouldn't worry too much about this. If you put a sniffer on the WAN side and remove the pi-hole but still see this traffic, then there may be an issue.

My router is configured so that it's pointing to my ISP as the default gateway and DHCP is enabled. I'm not using pi-hole for DHCP. However, I do have it setup with unbound as a recursive, authenticating DNS server. My network is setup with a double-NAT; one in the DSL modem, and one in the router. Finally, all of the devices on my network are assigned static IP addresses, and the hosts file on the RPi running pi-hole has been populated so that pi-hole displays human readable names for each device (as opposed to just IP addresses).

pi-hole displays the DNS requests for each device on the network. I can see what each device, including the router, is requesting. When I access the router's Connected Clients admin page, the router starts generating 100s of request per minute for the following URLs: www.dlink.com, dlink.com, www.dlink.com.tw, dlink.com.tw, www.dlink.com.cn, and dlink.com.cn. I've just confirmed that no other admin page displays this behaviour. I've blacklisted the latter 4 URLs.

Title: Re: DIR-885L Phoning Home
Post by: GreenBay42 on January 13, 2020, 09:54:26 AM
oh strange. OK. I am assuming that some of that mydlink traffic is connecting to databases to resolve client's vendor information/name. So when you leave the connected clients page it stops?
Title: Re: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on January 13, 2020, 10:20:20 AM
oh strange. OK. I am assuming that some of that mydlink traffic is connecting to databases to resolve client's vendor information/name. So when you leave the connected clients page it stops?

I'm going to have to walk back a bit of what I just said. This behaviours occurs with more than just the Connected Clients page. While I was typing my last message I accessed all of the router's admin pages except for the Connected Clients page. pi-hole is reporting that the router generated 420 DNS requests in a 10-minute period; most of the requests being for the URLs listed above.

I agree that some of the requests might be for vendor information, but I'm thinking it's likely more than that. Regardless of what it's doing, it appears to be doing it in a very inefficient manner.

Larry ....
Title: Re: DIR-885L Phoning Home
Post by: GreenBay42 on January 13, 2020, 11:23:03 AM
If you un-blacklist the blocked URLs does it still request at a high rate?  Since you blocked it, the router is probably re-trying to connect to mydlink and not hearing back.
Title: Re: DIR-885L Phoning Home
Post by: LarryNOTtheCableGuy on January 13, 2020, 11:50:14 AM
If you un-blacklist the blocked URLs does it still request at a high rate?  Since you blocked it, the router is probably re-trying to connect to mydlink and not hearing back.

I haven't tested this, but I don't think blacklisting the URLs has any effect on the rate. Of the six URLs I've listed above, only four are blacklisted. The DNS request rate for all six is identical, even when some are blacklisted.

Just one more data point. Included in this spike in router activity are DNS requests for www.google.com, google.com, www.mydlink.com and mydlink.com. Each of the 10 URLs appear to be requested at the same rate.

Larry ....