NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
RBR850 issued 705k DNS queries in 7 days from Netgear specific domains
I recently subscribed to and setup NextDNS service to replace my two Ethernet-wired Pi-Hole Servers that can no longer successfully resolve DNS on my Netgear Orbi RBR850 network.
In my NextDNS Profile/Analytics page is see that this apparently Netgear-related service - urldb.meetcircle-netgear.co - has queried the NextDNS servers 369,462 times in the past seven days.
A second apparently Netgear-related service - 'vc02.meetcircle-netgear.co' has queried the NextDNS servers 26,670 time in the past seven days.
A third apparently Netgear-related service 'netgear-devrecog.fing.io' has queried the NextDNS servers 5,354 time in the past seven days.
In total (blocked & unblocked) the meetcircle-netgear.co issued 694,134 DNS queries in the 7-day period.
In total (blocked & unblocked) the netgear.com domain issued 10,907 DNS queries in the 7-day period.
I suspect that these DNS queries are related to the Netgear Circle Parental Controls service embedded in the Netgear Orbi firmware?
I added all three service string addresses to the NextDNS Profile Denylist. Adding those specific prohibitions does not seem to have stopped the services from querying the DNS servers, but NextDNS does seem to be blocking those queries.
Firstly, why so many DNS queries from these Netgear-related services?
Secondly, can I somehow terminate these Netgear-related services at the Orbi RBR850 firmware level?
My RBR850 is running firmware V4.6.14.3_2.3.12. The two RBS850 satellites are running firmware V4.6.14.3.
See the screen grab from my NextDNS Profile Analytics page for more info.
Appreciate any insight or help offered!
7 Replies
- Yeah, I thought this was a truncated URL string as well. But adding the .com TLD to the vc02.meetcircle-netgear.co URL string returned and invalid URL. So, the .co TLD on the vc02.meet-circle.netgear.co URL must be accurate?
Mine phones home a lot too. I used to have a pihole and noticed similar. Right now, I'm running an unbound DNS server on Opnsense and hitting about 250k per week for peernetwork.netgear.com. But I also have 2x netgear routers, 2 managed switches, and a netgear NAS. So a few netgear devices that can phone home. But it is excessive IMO
I was really surprised to see the internet domain ".co" At first, I thought, "silly typo". But... WAIT... how was I not aware that it has become fashionable to use ".co" (the domain abbreviation for Columbia) as shorthand for all sorts of things. This Community Forum provides something new almost every day!
".co" (the domain abbreviation for Columbia)
.co was relaunched back in 2010, as an alternative for .com There are a lot of .net and .com URLs, all managed by the same registar (Verisign).
There are financial and policy aspects to this stuff, since registars receive revenue for the URLs, and it is important to have a global base of registrars.
There were a lot of gTLDs opened up in that timeframe, but most really didn't gain much traction.
Pi-Hole Servers that can no longer successfully resolve DNS
These Pi-Hole servers were working correctly with the 850 system and just recently failed?
Was there a specific error message reported by the Pi-Hole servers?
(my Pi-Hole is reporting a DNS error and I would like to "compare notes".)
Assuming that the 850 has been set to "use these DNS servers" (i.e. NextDNS: 45.90.28.0/24 and 45.90.30.0/24) my experience is that Orbi DNS resolution issues queries to every DNS server on the list, and then accepts whichever response comes back first. That would infer that the Orbi tried to resolve 369,462/2 = 184,731 DNS requests (still an enormous number).
Internet activity can result in downloading a huge number of individual files. One would think that (a) the application itself would cache the IPs for frequently used URLs, (b) the device the application is running on would also cache URLs, and the local DNS server (the Orbi router) would cache as well. This seems suspiciously like the Parental Controls process on the Orbi intercepting every web connection attempt and trying to validate it against a central database (only not very efficiently).
One would think that turning off Parental Controls would make these DNS queries stop.
I have two Pi-Hole servers setup as redundant DNS servers connected via static IP addresses on the local network. Both P-H servers are pointed to Cloudflare DNS servers (1.1.1.1 & 1.0.0.1). The P-H setup worked flawlessly for 5+ years with very little intervention. Probably rebooted the two P-H servers a total of eight times over the years. Recently updated both P-H servers to Core v6.2.1. Still pointing P-H servers to same Cloudflare DNS servers. After P-H update to V6.2.1 I cannot resolve DNS from any device on the network. I see there is a 'bug fix' P-H release to v6.2.2 Ill install that P-H update soon and determine if that solves the DNS resolution issues. In the meantime, for a 'quick fix' while I sort out the P-H issues, I subscribed to NextDNS and pointed the RBR850 to the two NextDNS servers as noted in my NextDNS profile (49.90.28.227 & 49.90.30.227). Almost immediately the DNS queries began to skyrocket. I've got 101 individual devices attached to the RBR850/RBS850 network - 90 of those devices are WiFi devices and many are IoT devices. I could not locate the 'switch' to disable Parental Controls in the 850 web GUI. Just now I DID locate the switch to disable Parental Controls in the iOS Orbi app. Immediately disabled Parental Controls from the app. Will see if that action has any effect on the outrageous number of DNS queries.
Sorry... neglected to add the info re the P-H DNS resolution failures and associated error messages. I see no specific error messages other than a know good URL (i.e. google.com) cannot resolve from any attached browser-enabled device when the local P-H servers (pointed to ANY public DNS servers) are named as the DNS servers on the RBR850 LAN. I haven't drilled into the P-H software yet to run pings and further diagnose. Will dive into that process in the next 24-48 hours. Will report my findings.
