NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

GMCH's avatar
GMCH
Aspirant
Sep 05, 2024

WAX204 keeps asking DNS for http.fw.updates1.netgear.com :-(

My firewall prevents the WAX204 from reaching the Internet (and vice versa).   I have turned off 'Router Auto Firmware Update'.   Nevertheless, every 5 (or so seconds) it asks DNS for 'A? http.fw...
GMCH's avatar
GMCH
Aspirant
Sep 06, 2024

I guess it could be checking for Internet Connectivity...  but it is in AP Mode, so I don't see why it should be checking.

 

I run a Cacheing DNS server inside the firewall.  Being able to connect to that doesn't say much about being able to connect to the world outside ! 

 

For devices which don't need to connect to the outside world, my Cacheing DNS is configured to only respond to queries about the internal network.  So, each time the WAX204 asks for 'http.fw.updates1.netgear.com' it gets a 'REFUSED' response.

 

I had a closer look at http.fw.updates1.netgear.com:

[root@cerberus ~]# dig http.fw.updates1.netgear.com
; <<>> DiG 9.18.28 <<>> http.fw.updates1.netgear.com
....
;; QUESTION SECTION:
;http.fw.updates1.netgear.com. IN A

;; ANSWER SECTION:
http.fw.updates1.netgear.com. 900 IN CNAME http.fw.updates1.netgear.com.edgekey.net.
http.fw.updates1.netgear.com.edgekey.net. 900 IN CNAME e70.g.akamaiedge.net.
e70.g.akamaiedge.net. 20 IN A 23.215.135.39

So the effective TTL is 20s.  So asking every 5s or so would prompt my Cacheing DNS to refresh itself roughly once every four queries !

 

Just for fun I arranged for my Cacheing DNS to return the IP of my firewall for 'http.fw.updates1.netgear.com'.  With a TTL of 1800.  The result is:

 

  1. the DNS queries slowed to every 10s.
  2. the WAX204 tried to connect HTTPS-wise every 10s -- receiving a straight RST response to its SYN !

...this with 'Router Auto Firmware Update' disabled.

 

-------------------------

I note that, in stark contrast, the WAX204 does not check the NTP server very often.

 

I have seen it ask shortly after a reboot.  After that, I have seen nothing for 90 mins.  One day I will run a long enough test to find out what the interval actually is.

GMCH's avatar
GMCH
Aspirant
Sep 10, 2024

FWIW: the WAX204 asks my NTP server (configured under 'Set your preferred NTP server') for an update once every 24 *hours*.

-------------------------------------------------------

If my firewall drops all DNS packets from the WAX204, it shows: 'Internet: Not Connected' in red (on its 'BASIC>Home' page).  If my DNS responds but says 'Refused', the WAX204 shows the same.

 

Just for fun I arranged to serve a dummy address for http.fw.updates1.netgear.com, with a 2 hour TTL.  The WAX204 promptly started to try to connect to that address TCP/HTTPS.  It got no response at all, and timed out after 2 minutes and some 5 failed attempts to open a TCP connection.  It then immediately asked DNS for http.fw.updates1.netgear.com again... despite the 2 hour TTL !!!

 

Getting a response from DNS did not persuade the WAX204 that it was connected to the Internet.

 

However, after getting an address for http.fw.updates1.netgear.com it then asked for www.netgear.com.  When my DNS gave it an address for that, the WAX204 promptly did some ICMP echo requests to that address.  NOW the status changed to 'Internet STATUS: GOOD' !!

---------------------------------------------------------------------------------------------------------

So there are a number of really stupid things going on here:

  1. it is asking for http.fw.updates1.netgear.com despite 'Router Auto Firmware Update' being disabled.  [And this is nothing to do with any Internet Connectivity Check.]
  2. if it doesn't get an address for http.fw.updates1.netgear.com:
    1. it keeps asking every 10s or so.
    2. it does not ask for www.netgear.com, despite needing it for the Internet Connectivity Check.
  3. if it does get an address for http.fw.updates1.netgear.com:
    1. it will then ask for www.netgear.com.
    2. it promptly tries to connect, despite 'Router Auto Firmware Update' being disabled.
    3. if it fails to connect, it immediately asks DNS for http.fw.updates1.netgear.com again, ignoring the TTL, and tries to connect again (even if the address is the same).
  4. if it gets an address for www.netgear.com, it does its Internet Connectivity Check -- ICMP to that address.  It repeats the address lookup (ignoring the TTL) and ICMP roughly every 4 to 5 minutes.
  5. if it does not get an address for www.netgear.com, it retries every 4 to 5 minutes.
  6. it tries to get the address for www.netgear.com, etc even in AP Mode.
  7. it persists in looking for updates with this high sense of urgency, even though updates are infrequent !!  Compare this with the once a day check of NTP and the 5 minutes between Internet Connectivity Checks.

I have also seen it ask DNS for:

A? netgearup-dev.s3-us-west-2.amazonaws.com.
AAAA? netgearup-dev.s3-us-west-2.amazonaws.com.

for reasons unknown ?   This kind of nonsense is part of why I deny devices in my network access to the outside world !

 

 

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More