• November 17, 2018, 12:57:50 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DIR-885L Phoning Home  (Read 396 times)

LarryNOTtheCableGuy

  • Level 2 Member
  • **
  • Posts: 41
DIR-885L Phoning Home
« on: October 25, 2018, 11:18:43 AM »

A couple of weeks ago I installed a Pi Hole (whole house ad blocker) on my home network. Very easy to install and configure on a Raspberry Pi. Once I had it configured to identify which device was making each DNS request, I was shocked to see the number of times the DIR-885L router phoned home. A short test conducted just before starting this post showed it making 280 DNS requests in 5 minutes; the vast majority of which were for www.dlink.com, dlink.com, www.dlink.com.cn, dlink.com.cn, www.dlink.com.tw, dlink.com.tw, www.mydlink.com, and mydlink.com. It also made several requests for www.google.com and google.com (really?). Interestingly, this only occurs when accessing the router's web interface. The rest of the time it's reasonably quiet.

I get that from time to time the router needs to contact the D-Link NTP server and lookup manufacturers of connected devices, but this is ridiculous and frankly quite disconcerting. I can't image why it needs to do this, and am now wondering if information regarding my home network is being leaked to the mother ship (or worse). As a result, I've now blacklisted the China and Taiwan domains, and am seriously considering the same for the US domains. When I have time this winter I'll probably try flashing one of my spares with DD-WRT firmware (FurryNutz, if I run into trouble you'll be seeing me looking for help on dd-wrt.com forum). In the meantime it looks like I'm going to have to install a packet sniffer between my modem and router to see what, if any, information is being leaked. Will let you know what I find.
Logged
DSL-520B  HW:T1 FW:1.00NA
DIR-885L  HW:A1  FW:1.20
DGS-108  HW:B1
DCS-5020L  HW:A1  FW:1.15.12

hydra3333

  • Level 2 Member
  • **
  • Posts: 39
Re: DIR-885L Phoning Home
« Reply #1 on: October 25, 2018, 05:17:07 PM »

Eek.  I too wold like dlink's information on this.
Logged

GreenBay42

  • Administrator
  • Level 8 Member
  • *
  • Posts: 1496
Re: DIR-885L Phoning Home
« Reply #2 on: October 26, 2018, 07:49:13 AM »

What firmware version do you have?

I assume the pi hole is on the LAN side so it cannot measure WAN to Internet traffic from the router.

Do you have any mydlink products on your network?

Let us know what your sniffer finds on the WAN side. I will forward this to a tech to look into also. And also the fact this mainly happens when connecting to the web UI is strange.

EDIT: More questions

Since I saw you have a mydlink camera on another thread, this is normal there is mydlink.com traffic. The camera (and router being a mydlink router) will send requests to mydlink servers.

How did you configure the DNS information on your router? Is DNS Relay enabled or disabled?

Is your pi hole handling dhcp for all your clients?

What DNS server(s) are you using on your pi hole?

Did you statically assign any IP settings/DNS on your clients?

If you blocked any of the mydlink domains/IP addresses, you will see more traffic since it needs to communicate with your mydlink devices (router and cameras) so it will keep requesting.




« Last Edit: October 26, 2018, 08:18:37 AM by GreenBay42 »
Logged

LarryNOTtheCableGuy

  • Level 2 Member
  • **
  • Posts: 41
Re: DIR-885L Phoning Home
« Reply #3 on: October 26, 2018, 11:15:23 AM »

> What firmware version do you have?

v1.20 (latest released version)

> I assume the pi hole is on the LAN side so it cannot measure WAN to Internet traffic from the router.

Correct. As I said, I'm now looking at what hardware/software I need to monitor the WAN side of the router (e.g., managed switch and another Pi running Wireshark). This will take me a while.

> Do you have any mydlink products on your network?

None. Although I do have a mydlink account, this router is NOT logged into it.

> Let us know what your sniffer finds on the WAN side. I will forward this to a tech to look into also. And also the fact this mainly happens when connecting to the web UI is strange.

Will do. Many many thanks.

> EDIT: More questions

> Since I saw you have a mydlink camera on another thread, this is normal there is mydlink.com traffic. The camera (and router being a mydlink router) will send requests to mydlink servers.

The cameras are at a different location. As I indicated above, I'm not logged into my mydlink account on this router. Had I been, I wouldn't have included them in the list of domains.

> How did you configure the DNS information on your router? Is DNS Relay enabled or disabled?

DNS Relay is disabled on the router so that the Pi Hole can see which device is making each DNS request. The router is acting as the DHCP server on the network and all of the devices have been assigned static IP addresses.

> Is your pi hole handling dhcp for all your clients?

Not at this time.

> What DNS server(s) are you using on your pi hole?

The Pi Hole is passing DNS requests to my local ISP's primary and secondary DNS servers. I'm not using Google, CloudFare, OpenDNS, etc. I'm in Canada, so I'm also not using one of the US vertically-integrated conglomerates. Nor am I using any of the large Canadian providers (Bell, Telus, Rogers).

> Did you statically assign any IP settings/DNS on your clients?

Yes, clients have static IP addresses. The router's DHCP server passes the DNS server information to the clients. Currently, this is the internal address of my Pi.

> If you blocked any of the mydlink domains/IP addresses, you will see more traffic since it needs to communicate with your mydlink devices (router and cameras) so it will keep requesting.

It occurred to me that this might happen. However, with some or all listed domains blacklisted, there is no noticeable increase in the number of requests. Furthermore, there no noticeable difference in the operation of the router.

Again, thank you for looking into this. I'll definitely keep everyone informed as to what I find. Unfortunately it may be a while before I can get to it.

Larry ....
Logged
DSL-520B  HW:T1 FW:1.00NA
DIR-885L  HW:A1  FW:1.20
DGS-108  HW:B1
DCS-5020L  HW:A1  FW:1.15.12

GreenBay42

  • Administrator
  • Level 8 Member
  • *
  • Posts: 1496
Re: DIR-885L Phoning Home
« Reply #4 on: October 26, 2018, 12:38:04 PM »

Thanks for the information. I know mydlink devices will send requests to the mydlink servers even if not registered. It is kinda like "hey im a mydlink product am I registered" and the server will respond yes or no.  Not too sure about the google requests unless you have an android device or any google home/assistant products.

Definitely let us know your results. A couple techs are off today so we will look into this on Monday.

Have you contacted D-Link tech support?

If possible can you send me a list of domains/IP addresses it is sending? I can send to the engineers so they can verify them. You can PM me or I can give you an email address.
Logged

LarryNOTtheCableGuy

  • Level 2 Member
  • **
  • Posts: 41
Re: DIR-885L Phoning Home
« Reply #5 on: October 26, 2018, 02:54:40 PM »

> Not too sure about the google requests unless you have an android device or any google home/assistant products.

There is one android phone in the house, and it's pretty chatty all on its own. Regardless, from my perspective that doesn't explain why the router needs to query  google.com when you access it's web interface.

Larry ....
Logged
DSL-520B  HW:T1 FW:1.00NA
DIR-885L  HW:A1  FW:1.20
DGS-108  HW:B1
DCS-5020L  HW:A1  FW:1.15.12

GreenBay42

  • Administrator
  • Level 8 Member
  • *
  • Posts: 1496
Re: DIR-885L Phoning Home
« Reply #6 on: October 26, 2018, 03:13:49 PM »

Well again the pi hole is on the LAN side of the router so it is not reporting outgoing traffic from the router to the Internet. The requests have to be from a device on the LAN and/or from the Internet to a device on the LAN. The router still inspects incoming traffic and then will send it to the pi hole. Does the pi hole report if it is incoming vs outgoing?
Logged

Netrunner4Pizza

  • Level 1 Member
  • *
  • Posts: 1
Re: DIR-885L Phoning Home
« Reply #7 on: October 27, 2018, 09:20:28 AM »

Maybe help shed light on this as i also run a PiHole, my topography is this:

Modem > DMZ > Dlink Router > everything else

Router pulls IP and Subnet via DHCP from Modem
Router points to PiHole for DNS
DNS is set to Cloudflare and DNS.WATCH
Router only has DHCP running for half of my subnet with itself as the DNS server.

Everything on my network runs though my PiHole and I've never seen a single call home from dlink since i started this up last year. Im on 1.20, Thu 28 Sep 2017 Firmware about to update to 1.21B03 I also have SecurityOnion on a passthrough on my modem & router (use my modem as a security layer for guests) decrypting and sniffing/logging all traffic. I am 100% confident the router is not calling home.

edit: clarification of SecOnion
« Last Edit: October 27, 2018, 09:23:33 AM by Netrunner4Pizza »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 46158
  • D-Link Global Forum Moderator
    • New DIR-890L Router with SmartConnect™ Technology
Re: DIR-885L Phoning Home
« Reply #8 on: October 27, 2018, 11:56:35 AM »

Link>Welcome!


  • What region are you located?
  • What ISP Modem Mfr. and model # do you have?


Maybe help shed light on this as i also run a PiHole, my topography is this:

Modem > DMZ > Dlink Router > everything else

Router pulls IP and Subnet via DHCP from Modem
Router points to PiHole for DNS
DNS is set to Cloudflare and DNS.WATCH
Router only has DHCP running for half of my subnet with itself as the DNS server.

Everything on my network runs though my PiHole and I've never seen a single call home from dlink since i started this up last year. Im on 1.20, Thu 28 Sep 2017 Firmware about to update to 1.21B03 I also have SecurityOnion on a passthrough on my modem & router (use my modem as a security layer for guests) decrypting and sniffing/logging all traffic. I am 100% confident the router is not calling home.

edit: clarification of SecOnion
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

LarryNOTtheCableGuy

  • Level 2 Member
  • **
  • Posts: 41
Re: DIR-885L Phoning Home
« Reply #9 on: October 27, 2018, 02:00:50 PM »

> Well again the pi hole is on the LAN side of the router so it is not reporting outgoing traffic from the router to the Internet.

You're absolutely correct. And I'm the first to admit I have no idea about what's happening on the outgoing side of the router; thus my original comment regarding the installation of a packet sniffer between the modem and router (which I hope to get to in the fullness of time). I will also admit that I may have been somewhat "over-dramatic" with some of my wording.  ::)

> Does the pi hole report if it is incoming vs outgoing?

The Pi Hole is a forwarding DNS server, which simply intercepts all DNS lookup requests from devices on my network (including the router), and "blocks" any associated with ad servers, malware sites, etc. The remaining requests are passed through to my ISP's DNS servers. So all I'm seeing are DNS lookup requests; nothing else. And to the best of my knowledge, it's telling me that the router is requesting DNS lookups for the listed domains. But I have no idea what the router is doing after that.

I'm certainly not a networking expert, and have never done this for a living. Although I've been at it for about 15 years; everything I know about networking is self taught. I probably know just enough to be very dangerous.  :D

Larry ....
Logged
DSL-520B  HW:T1 FW:1.00NA
DIR-885L  HW:A1  FW:1.20
DGS-108  HW:B1
DCS-5020L  HW:A1  FW:1.15.12

LarryNOTtheCableGuy

  • Level 2 Member
  • **
  • Posts: 41
Re: DIR-885L Phoning Home
« Reply #10 on: October 27, 2018, 02:39:06 PM »

> Router pulls IP and Subnet via DHCP from Modem
> Router points to PiHole for DNS
> Router only has DHCP running for half of my subnet with itself as the DNS server.

If I read this correctly, you have a double-NAT setup. This is exactly the way my network is setup. Router is served a static IP address from the modem on a different subnet than all of the devices downstream of the router.

> Everything on my network runs though my PiHole and I've never seen a single call home from dlink since i started this up last year.

Question:  Can you see the router make any DNS requests (e.g., occasional lookup for NTP server)?

> I also have SecurityOnion ...

Never heard of SecurityOnion; thanks for bring it to my attention. Sucks that it won't run on a Pi.

Larry ....
Logged
DSL-520B  HW:T1 FW:1.00NA
DIR-885L  HW:A1  FW:1.20
DGS-108  HW:B1
DCS-5020L  HW:A1  FW:1.15.12

GreenBay42

  • Administrator
  • Level 8 Member
  • *
  • Posts: 1496
Re: DIR-885L Phoning Home
« Reply #11 on: October 29, 2018, 07:13:16 AM »

I am hoping to get a Pi Hole today to test this and get a better understanding of what is being logged.
Logged