I installed a new Nighthawk AX1800 WiFi 6 Mesh System only to find that it is now the top user of DNS in my network and it's looking up the hostname of every IP any of my devices visit on the internet. It's also constantly resolving Netgear.com. I can only presume it's spying on my family and sending information about our network usage to Netgear.com. Any recommendation on how to block the MR60 from doing this? Telemetry, courtesy pi-hole.net:

For the ocasional pings to netgear, that is to determine if you have a functional WAN connection. On the web UI, the internet status box relies on that data, beyond that no special data is sent. Basically if it fails to get a ping reply from netgear then it will not list the usual statua of "GOOD" in the Internet box on th basic page. As for DNS, the router has a built in DNS server, and it will effectively cache DNS lookups from the 2 DNS servers in the internet setup page. This is why if you use a tool like GRC's DNS benchmark https://www.grc.com/dns/benchmark.htmYou will see that especially for cached results, the router is often the fastest to respond. Many routers do this, and the DHCP server on the router will usually automatically assign the local IP of the router as one of your DNS servers. If you would like to change that behavior, then you can by simply not using the router's DNS server, and if you are up for a thoroughg DNS benchmark, you can optimize things to pick the fastest servers for your specific location.

Wanted to also add that some netgear products will do OUI lookups in order to provide more relevant information on the attached device list, which functions even when a device is in AP mode. While none of the images are working yet, are you able to do a packet capture of the lookups it is doing to see what data is actually being sent and received?Aside from that you will occasionally see traffic to one of the Netgear update servers when it checks for firmware updates. If you want to block all of those functions, you can keep it in router mode, and assign it a static IP for the web UI, disable its DHCP server, and then connect it to your main router viia a LAN to LAN instead od LAN to WAN, then all of those requests will effectively be sent to a physical Ethernet port has has no connection. Wanted to also add, if it supports the Netgear Armor service then the processes associated with it will remain partially active in performing various lookups on devices that connect to the network in order to deliver mobile alerts to the nighthawk app.

That amount of traffic is strange. The only feature that will do a ton of requests that I know of under normal circumstances, is the Netgear Armor function where it will do a ton of stuff in the background when active, especially if it is doing a vulnerability scan.

When you do a LAN to LAN setup, (requires you to change the LAN IP of the router, e.g., if it is 192.168.1.1, change it to something else in the same range, e.g., 192.168.1.10 or anything not being used.Then disable DHCP on the MR60. After disabling the DHCP server, then do a LAN to LAN connection, and it should still work pretty seamlessly. All WAN directed stuff should stop at that point, though certain LAN facing items will still be present, such as when it scans for devices on the LAN as the attached devices list will still work, it just won't be able to grab additional infor from the WAN. Only downside is that you will no longer get automatic firmware updates, and the manual check will also fail, thus updating will require you to go to https://www.netgear.com/support/download/ and manually download updates and inftall them.

Most modern forum software will use a range of automated filtering functions that will look for patterns such as a large number of URLs posted at once or various keywords. Sadly it is effectively unavoidable with public forums what want to allow for public registrations without annoying screening processes such as requiring the first few posts to be moderator approved.I have moderated on a different forum in the past and it wasn’t uncommon to see the system block over 100 bot accounts within a single day, and that is with a captcha system. Sadly many mass spamming operations do effectively captcha farming, or sidejacking style malware where someone’s normal activity provides the data that google recaptcha needs.Overall until something better comes out many forums will have a range of filters and other automations in place to prevent spam, even though that can have false positives (depending on the content). In focusing more of the core issue, your best bet may be the LAN to LAN setup especially if Netgear armor is enabled and you don't want its cloud related network activity taking place.

Nighthawk MR60 spying on my Internet usage

20 Replies

AEtherScythe
Aspirant
Apr 25, 2021
Images did not go and cannot edit my post. Let me try that again...
AEtherScythe
Aspirant
Apr 25, 2021
Don't know why the images won't show. Here is a link to a post that includes the images:

https://www.reddit.com/r/NetworkSecurity/comments/myadne/i_installed_a_new_nighthawk_ax1800_wifi_6_mesh
Razor512
Prodigy
Apr 26, 2021
For the ocasional pings to netgear, that is to determine if you have a functional WAN connection. On the web UI, the internet status box relies on that data, beyond that no special data is sent. Basically if it fails to get a ping reply from netgear then it will not list the usual statua of "GOOD" in the Internet box on th basic page.

As for DNS, the router has a built in DNS server, and it will effectively cache DNS lookups from the 2 DNS servers in the internet setup page. This is why if you use a tool like GRC's DNS benchmark https://www.grc.com/dns/benchmark.htm
You will see that especially for cached results, the router is often the fastest to respond.

Many routers do this, and the DHCP server on the router will usually automatically assign the local IP of the router as one of your DNS servers.

If you would like to change that behavior, then you can by simply not using the router's DNS server, and if you are up for a thoroughg DNS benchmark, you can optimize things to pick the fastest servers for your specific location.
- AEtherScythe
  Aspirant
  Apr 26, 2021
  Hi, Razor512. Thanks for the reply.
  
  FYI the MR60 is in Access Point (bridge) mode so it is not providing any DNS services.
AEtherScythe
Aspirant
Apr 26, 2021
Did anyone notice all the reverse IP lookups it's doing? Bunch of cloudflare sites in addition to a ton of other lookups.
I need to turn off whatever is causing so many DNS lookups because the network is being provided via a Nighthawk LAX20 over LTE and I can't have all this gratuitous traffic being generated by the MR60. It's costing me too much data on Verizon.

Clearly the MR60 isn't doing the lookups for no reason, it must also be connecting to the various sites.

At first I thought it might be the Anywhere Connect, opening sessions out through the LAX20 + Verizon doubl NAT to Cloudflare infrastructure, so that the Nighthawk app can get back through the double NAT to reach the MR60, but I have the Anywhere Connect turned off, so it shouldn't be doing that.

The MR60 is the most active device on the network. It's rediculous that a router that isn't even serving as a router would be the most active device on my network. :-(

I ultimately blocked the MR60's ability to reach port 53 on my pi-hole DHCP+DNS server a la (where 12.168.1.2 is the MR60 via DHCP reservation):

$ sudo /sbin/iptables -A INPUT -s 192.168.1.2 -i eth0 -p udp -m state --state NEW -m udp --dport 53 -j DROP
$ sudo /sbin/iptables -A INPUT -s 192.168.1.2 -i eth0 -p tcp -m state --state NEW -m tcp --dport 53 -j DROP

Now the MR60 is no longer the most active client using my Verizon LTE data. But this is not a perfect solution.
I want the router to be able to check for firmware automatically. It can't do that if it can't use DNS.

I just need to shut down whatever is doing all the gratuitous lookups and related traffic.
- Razor512
  Prodigy
  Apr 26, 2021
  So far the images are not loading and the reddit post has no images.
  - Razor512
    Prodigy
    Apr 26, 2021
    Wanted to also add that some netgear products will do OUI lookups in order to provide more relevant information on the attached device list, which functions even when a device is in AP mode.
    
    While none of the images are working yet, are you able to do a packet capture of the lookups it is doing to see what data is actually being sent and received?
    Aside from that you will occasionally see traffic to one of the Netgear update servers when it checks for firmware updates. If you want to block all of those functions, you can keep it in router mode, and assign it a static IP for the web UI, disable its DHCP server, and then connect it to your main router viia a LAN to LAN instead od LAN to WAN, then all of those requests will effectively be sent to a physical Ethernet port has has no connection.
    
    Wanted to also add, if it supports the Netgear Armor service then the processes associated with it will remain partially active in performing various lookups on devices that connect to the network in order to deliver mobile alerts to the nighthawk app.
AEtherScythe
Aspirant
Apr 26, 2021
I did the math, just based on the screenshots that I shared. The MR60 is doing just over 10,000 DNS queries a day.
Shouldn't be doing more than a small handful of queries a day to check for firmware updates (like once a day at most).
All those other lookups shouldn't be happening. There should be a straightforward option to turn off whatever it's doing.
- Razor512
  Prodigy
  Apr 26, 2021
  That amount of traffic is strange. The only feature that will do a ton of requests that I know of under normal circumstances, is the Netgear Armor function where it will do a ton of stuff in the background when active, especially if it is doing a vulnerability scan.
AEtherScythe
Aspirant
Apr 26, 2021
Isn't that strange? One of the images I originally uploaded to this thread is now showing.
The other still is not showing. Maybe it will eventually.
This forum software could apparently use some love. ;-)
AEtherScythe
Aspirant
Apr 26, 2021
To get more insight into what is going on here, I grabbed the /var/log/pihole.log* files for the last 7 days and checked just what the MR60 (as client 192.168.1.2) is trying to resolve. The list is pretty "telling." It's definitely doing all the queries that any/all of my devices are doing, but also a huge number of reverse IP lookups.

$ grep 'from 192.168.1.2' pihole.log* | sed -n 's/.*] $[^ ]*$ from.*/\1/p' | sort | uniq -c | tee mr60.txt

I'll show just the most-used lookups. For sure many of these are Netgear related, but a ton of them are not.
And when I look at the complete list I can see many many domains being referenced which are unique to my own Internet usage, such as certain podcasts and such that only I listen to and nobody else does.

5419 www.netgear.com
1516 time-b.netgear.com
1031 advisor.ngxcld.com
186 mesu.apple.com
126 www.apple.com
121 time-c.netgear.com
117 init-p01st.push.apple.com
92 lb._dns-sd._udp.net
88 1-courier.push.apple.com
85 1-courier.sandbox.push.apple.com
69 apple.com
62 suconfig.apple.com
56 xbroker-z2-i12.ngxcld.com
52 xbroker-z2-i16.ngxcld.com
52 api.smoot.apple.com
51 gspe1-ssl.ls.apple.com
51 e6858.dscx.akamaiedge.net
50 gsa.apple.com
48 cl2.apple.com
48 appleid.apple.com
46 xbroker-z2-i17.ngxcld.com
44 xbroker-z2-i24.ngxcld.com
43 init-p01md.apple.com
43 init.ess.apple.com
42 gs-loc.apple.com
42 gateway.icloud.com
41 uemm.dynatrace.ford.com
40 xbroker-z2-i8.ngxcld.com
40 xbroker-z2-i11.ngxcld.com
40 guzzoni.apple.com
38 xbroker-z2-i22.ngxcld.com
38 xbroker-z2-i13.ngxcld.com
38 radarsubmissions.apple.com
37 outlook.office365.com
37 gsp-ssl.ls.apple.com
36 init.itunes.apple.com
35 configuration.apple.com
34 xbroker-z2-i23.ngxcld.com
34 xbroker-z2-i15.ngxcld.com
33 p101-keyvalueservice.icloud.com
33 p101-fmfmobile.icloud.com
33 http.fw.updates1.netgear.com
32 xbroker-z2-i6.ngxcld.com
32 xbroker-z2-i4.ngxcld.com
32 xbroker-z2-i14.ngxcld.com
31 gateway.fe.apple-dns.net
30 xbroker-z2-i7.ngxcld.com
30 xbroker-z2-i19.ngxcld.com
30 gspe35-ssl.ls.apple.com
28 xbroker-z2-i5.ngxcld.com

Looking into the top reverse lookups it's almost all cloudfront:

$ cat /tmp/mr60arpa.txt | while read count rev ; do ip=$(echo $rev | awk -F. '{print $4 "." $3 "." $2 "." $1}'); echo $count $(getent hosts $ip) ; done
1121 13.226.13.13 server-13-226-13-13.ord51.r.cloudfront.net
1121 13.226.13.120 server-13-226-13-120.ord51.r.cloudfront.net
1120 13.226.13.99 server-13-226-13-99.ord51.r.cloudfront.net
1120 13.226.13.124 server-13-226-13-124.ord51.r.cloudfront.net
660 99.84.160.7 server-99-84-160-7.ord52.r.cloudfront.net
660 99.84.160.32 server-99-84-160-32.ord52.r.cloudfront.net
660 99.84.160.25 server-99-84-160-25.ord52.r.cloudfront.net
660 99.84.160.115 server-99-84-160-115.ord52.r.cloudfront.net
180 99.84.174.69 server-99-84-174-69.ord52.r.cloudfront.net
180 99.84.174.66 server-99-84-174-66.ord52.r.cloudfront.net
180 99.84.174.6 server-99-84-174-6.ord52.r.cloudfront.net
180 99.84.174.22 server-99-84-174-22.ord52.r.cloudfront.net
1 99.84.79.90 server-99-84-79-90.hio50.r.cloudfront.net
1 54.239.169.81 server-54-239-169-81.kix56.r.cloudfront.net
1 13.33.165.77 server-13-33-165-77.yto50.r.cloudfront.net
1 99.84.79.70 server-99-84-79-70.hio50.r.cloudfront.net
1 54.230.155.66 server-54-230-155-66.icn51.r.cloudfront.net
1 54.239.169.58 server-54-239-169-58.kix56.r.cloudfront.net
1 54.230.155.52 server-54-230-155-52.icn51.r.cloudfront.net
1 54.230.155.50 server-54-230-155-50.icn51.r.cloudfront.net
1 13.33.165.49 server-13-33-165-49.yto50.r.cloudfront.net
1 99.84.79.2 server-99-84-79-2.hio50.r.cloudfront.net
1 54.230.155.23 server-54-230-155-23.icn51.r.cloudfront.net
1 13.33.165.2 server-13-33-165-2.yto50.r.cloudfront.net
1 54.239.169.123 server-54-239-169-123.kix56.r.cloudfront.net
1 13.33.165.107 server-13-33-165-107.yto50.r.cloudfront.net
1 54.239.169.102 server-54-239-169-102.kix56.r.cloudfront.net
1 99.84.79.101 server-99-84-79-101.hio50.r.cloudfront.net

That's just the IPv4 stuff. I need to see if I can do similar analysis for the IPv6 lookups.
AEtherScythe
Aspirant
Apr 26, 2021
About half an hour ago I posted a detailed analysis of the top 50 lookups the MR60 is doing.
Was my comment deleted by a moderator?
- Razor512
  Prodigy
  Apr 27, 2021
  Most modern forum software will use a range of automated filtering functions that will look for patterns such as a large number of URLs posted at once or various keywords. Sadly it is effectively unavoidable with public forums what want to allow for public registrations without annoying screening processes such as requiring the first few posts to be moderator approved.
  I have moderated on a different forum in the past and it wasn’t uncommon to see the system block over 100 bot accounts within a single day, and that is with a captcha system. Sadly many mass spamming operations do effectively captcha farming, or sidejacking style malware where someone’s normal activity provides the data that google recaptcha needs.
  Overall until something better comes out many forums will have a range of filters and other automations in place to prevent spam, even though that can have false positives (depending on the content).
  
  In focusing more of the core issue, your best bet may be the LAN to LAN setup especially if Netgear armor is enabled and you don't want its cloud related network activity taking place.
  - AEtherScythe
    Aspirant
    Apr 27, 2021
    The reply that disappeared was mostly just hostnames not URL's.
    
    But anyway, I am keen on trying the LAN LAN mode, but the router is at my elderly parent's house 40 miles away, so I probably won't be able to get down there before Wednesday.
    
    Razor512 To my knowledge, I never enabled Netgear Armor.
    How would I check and how would I disable it?
    
    To me, Access Point mode should be "brick-stupid do nothing nothing but bridge the WiFi to my actual router."
    That one button to turn on AP mode should disable all this other gratuitous nonsense. :-/

Forum Discussion

Nighthawk MR60 spying on my Internet usage