DNS question

I started to look at some of my pfsense router logs and saw a HUGE spike in DNS traffic around midnight (was tossing and turning in bed but not using any devices). 99% of this traffic was my OP6 phone hitting port 53 on my router’s IP.

What could be the cause of this? Also what makes a device hit DNS on the router or strait out to a server such as 8.8.4.4?

Setup:

  • pfSense
  • Default DNS settings, I had to rebuild my pfsense and haven’t re-setup DNS over TLS yet.
  • pfblockerNG is setup along with DNSBL

Is this simply pfblockerNG + DNSBL? And if so, why a ‘storm’ of DNS requests (I’m assuming requests)- sh*tty app?

Probably just os or app requests.

If youre really curious…

Pfsense has a packet capture feature, reserve your phone a dhcp address then capture the traffic. Wireshark has some analysis functions to see what requests are being made.

2 Likes

The default DHCP settings for PFSENSE hand out your (pfsense) router’s IP address as the DNS server for your LAN. DHCP is responsible for giving a device its DNS settings if the device is set to obtain automatic network configuration.

If the device has hard-coded google DNS for an app or service running on it, it will perhaps hit that instead.

As to why the storm happened… maybe midnight is some sort of update schedule for your phone. Maybe its owned? Who knows :D. If you’re curious see if there’s a trend and as above do a packet capture.

Also… potentially, if your phone updates automatically over night, it could be the case that it re-started and thus DNS cache expired, and all the locally cached results that were in memory on it were no longer cached. And thus in order to deal with that, rather than local cache hits everything running on it needed to do an initial look up.

1 Like

I was curious on this relationship.

I have Google play set to manual updates, and I upgrade about once every two weeks.

I didn’t think to also check my pfblocker dnsbl logs as well, would be interesting to see- I might have derped and not set that to log and it’s why all the traffic was action=allowed to the router IP but then maybe blocked by a floating rule for add IPs (not logged)?

If you can do a packet capture while it’s happening you’ll be able to see what domain the phone is trying to look up, that might help figure out if it’s an issue or not. I used to have a handy mirrored port on my switch that was connected to a vm that I could use to quickly packet sniff any interface on the network. It was super handy for stuff like this but just doing a packet capture should be fine especially if its happening at a predictable time.

There might also be a logging option on the pfsense dns server that you could use to see what’s being looked up.

1 Like

Yeah, auto configuration for both IP address and DNS is handled by DHCP. DHCP can also set a heap of other client device options such as time server, local domain, PXE boot host, proxy configuration, etc.

But most people only use it for IP+DNS server; and unless tweaked, pfsense’s default DHCP scope settings will dish out itself as the DNS server unless you configure otherwise.

1 Like

I wonder what’s the easiest way to get useful logging?

E.g. leave tcpdump running catching everything on port 53 and leaving it write into a pcap file that you can later massage with tshark and/or awk? or look at in wireshark?

Surely a typical home doesn’t have that much dns traffic that it’s impractical to log everything?

I’d just leave the packet capture running over night and then open it up in wireshark. Should be able to filter DNS traffic and match the time with the firewall logs.

1 Like

About DNS traffic:

A device hitting local DNS a lot isn’t a problem. Most devices don’t use a local DNS cache because it’s actually cheaper to just hit the local server. It’s 2 or 3 milliseconds vs potentially holding megabytes of DNS cache in local RAM.

1 Like

Aliens! More seriously, I can only guess which is a waste of time. :slight_smile:

Do you control the dns traffic? What domains per device are resolved …
I personally block all traffic 53 and the devices only have the right to use the pihole.
Do you use fw on your phone, something like NetGuard? Check which application is performing specific queries. I block everything and only allow what I need at the moment. I can also see exactly the traffic that the app generates.

If you know the domain names and which application or part of the phone is making this move, it will then be possible to determine what is on the wall.
So find out what generates the queries to understand why this is happening. :slight_smile:

PS
More and more applications for both PC and Android have dns servers sewn in and make additional connections without looking at the system NS. Among other things, I mentioned Avast in this post …

Until something starts downloading malware via dns.

https://blog.huntresslabs.com/hiding-in-plain-sight-part-2-dfec817c036f

1 Like

He’s talking about the act in of itself.

Malicious traffic is a different topic.

That said, if something is sending lots of requests to google’s dns servers then the device clearly had some old dns entries that could’ve migrated so it needed to refresh.

1 Like

Thanks all for the inputs- unfortunately the traffic data logging was not on at that time (in my rant thread Suricata had a bug that filled up my pfsense’s HDD). I can re-enable packet captures or the less granular but darn near as much Suricata eve.json for the ‘next’ time. For now I’m going to assume some app’s server went down for a while and caused the app to freak out a bit, and not dwell on ideas of some kind of compromise.