NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Why is the router repeatedly calling out to www.netgear.com?
The router is calling out to www.netgear.com (the ipv4 and v6 addressed) every 5 minutes. I'm curious as to whether anyone has more information as to why? I've seen another post about a call to...
I captured nine hours of Wide Area Network (WAN) traffic from my Orbi. (over 800mb).
Yes, my Orbi does a DNS query for "netgear.com" just a few seconds past every five minutes.
After examining some of the DNS responses, I see that the "Time to Live" reported by CloudFront is a little over 11 minutes.
So, what appears to be happening is:
- For some reason, the Orbi wants to keep the IP address for netgear.com in its DNS cache, and
- The DNS "Time to Live" is only about 11 minutes, so
- The Orbi waits until almost half of the time has gone by and updates the DNS cache.
It is a common practice to use a short "Time to Live" on DNS in order to facilitate "Fail Over" systems. i.e. if for some reason a primary server fails and we want traffic to use a backup server quickly, then we need to have a short Time to Live. Imagine if customer computers "know" that our server will be at a certain IP address for 24 hours. When each customer computer's DNS cache gets down to 12 hours remaining, it will perform a DNS request, "where is...?" If they all got our DNS location randomly, then some will renew very soon and some will not renew for almost 12 hours. That means if our primary server goes down, some customers will continue to look for the broken server (and be out of service) for almost 12 hours.
With a Time to Live of 11 minutes, the longest a customer would be out of service is only about 5 minutes.
I do not know that this is what Netgear intends, nor why the Orbi wants to have "netgear.com" in the DNS cache in the first place, but given the DNS response, I can see why the Orbi does a DNS query so often.
I did NOT notice my Orbi contacting netgear.com, but I also quit looking at the Wireshark capture after discovering this pattern of DNS queries.
While I can hypothesize a number of possibilities, the easiest tactic is to capture some Wide Area Network (WAN) traffic and look at the conversation between the Orbi and netgear.com. I'll do that and report what I find.
I captured nine hours of Wide Area Network (WAN) traffic from my Orbi. (over 800mb).
Yes, my Orbi does a DNS query for "netgear.com" just a few seconds past every five minutes.
After examining some of the DNS responses, I see that the "Time to Live" reported by CloudFront is a little over 11 minutes.
So, what appears to be happening is:
- For some reason, the Orbi wants to keep the IP address for netgear.com in its DNS cache, and
- The DNS "Time to Live" is only about 11 minutes, so
- The Orbi waits until almost half of the time has gone by and updates the DNS cache.
It is a common practice to use a short "Time to Live" on DNS in order to facilitate "Fail Over" systems. i.e. if for some reason a primary server fails and we want traffic to use a backup server quickly, then we need to have a short Time to Live. Imagine if customer computers "know" that our server will be at a certain IP address for 24 hours. When each customer computer's DNS cache gets down to 12 hours remaining, it will perform a DNS request, "where is...?" If they all got our DNS location randomly, then some will renew very soon and some will not renew for almost 12 hours. That means if our primary server goes down, some customers will continue to look for the broken server (and be out of service) for almost 12 hours.
With a Time to Live of 11 minutes, the longest a customer would be out of service is only about 5 minutes.
I do not know that this is what Netgear intends, nor why the Orbi wants to have "netgear.com" in the DNS cache in the first place, but given the DNS response, I can see why the Orbi does a DNS query so often.
I did NOT notice my Orbi contacting netgear.com, but I also quit looking at the Wireshark capture after discovering this pattern of DNS queries.
Wow!
Impressive piece of work and that makes sense - even if it's surprising! Many Thanks for the work.
I found out because I've started using NextDNS (which is very cool) and the Orbi was at the top of the list!
Thanks
Stu
Correction. The Orbi actually does more than I reported.
- Approximately every five minutes, it does a DNS lookup on "netgear.com" for both IPv4 and IPv6.
DNS reports four IPv4 addresses for netgear.com:
13.227.76.35, 13.227.76.76, 13.227.76.94, and 13.227.76.115, and
four IPv6 addresses. - Orbi does an ICMP (ping) to each of the four addresses.
My guess is, "you claim netgear.com is at these IP's. Let's see if they really exist." - I did not see ICMPv6 to the equivalent four IPv6 internet addresses, because my Wireshark display filter had only the four IPv4 addresses. My guess is there are probably ICMPv6 packets to verify that those addresses are alive as well.
- At a much longer interval, Orbi begins a login to port 443 (https) on one of the IP addresses.
They only exchange a few packets before I lost track. Maybe the conversation got redirected to some other IP?
Maybe all Orbi wanted to know was, "is this https port alive?"
Sort of over my head.
I am now capturing 24 hours of WAN traffic to a USB stick and will look at the results tommorrow to see if there is a regular pattern in these connections.
I should point out that I have not activated Bitdefender Armor or Disney Circle, so my Orbi has no reason to "check in" with those services. I imagine that Orbi's that have activated those features will be making connections relevant to them.
I DO have OpenVPN set up, and notice that my Orbi is quite busy talking to No-IP.com.
Just as an observation, the more I look at "what's happening on the network?", the more surprised I am by how busy it is.
- Approximately every five minutes, it does a DNS lookup on "netgear.com" for both IPv4 and IPv6.
