NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

SomeDudeX's avatar
SomeDudeX
Aspirant
Jan 27, 2020

Router DNS causes "Connection not secure" - on all websites & devices

Nighthawk AX4: RAX40
Firmware Version V1.0.3.64_1.0.1 (latest)

 

All works as expected, except any DNS query that comes near the router triggers a "connection not secure". All devices, all operating systems. Doesn't matter whether I leave DNS on auto or log in to the router and manually specify a DNS server (8.8.8.8 or 1.1.1.1).

 

I know the router works fine because if I set the DNS on the individual device it works as expected.

 

From the broken certificate the browser complains about I gather this is connected to the portal (routerlogin.net) but I really don't need a router that injects broken certificates into traffic silently that isn't even portal related. It's a security risk, unwanted and well pretty broken.

 

I gather it's related to this security hole discovered a couple days back:

https://searchsecurity.techtarget.com/news/252477198/Netgear-under-fire-after-TLS-certificates-found-in-firmware-again

https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9

 

Netgear's solution (posted 3 days ago) is to add this broken certificate as force trusted in the browser (the worst possible thing you can do for compromised certificates):

https://kb.netgear.com/000061586/I-get-a-security-warning-in-my-browser-when-I-try-to-log-in-to-my-NETGEAR-Nighthawk-router-what-do-I-do

...doesn't even fix the issue since not all devices can force a different DNS or side-load a certificate.

 

So before I send this thing back as defective - any ideas? Really thinking I made a mistake here

3 Replies

Sort By
  • michaelkenward's avatar
    michaelkenward
    Guru
    Jan 28, 2020
    SomeDudeX wrote:

     

    All works as expected, except any DNS query that comes near the router triggers a "connection not secure". All devices, all operating systems.

    All browsers?

    • schumaku's avatar
      schumaku
      Guru
      Jan 28, 2020

      The security hole - I've pointed out for years that the private key is available on any Netgear device (that's the one and only problem...) - which isn't affecting virtually anything. Still good enough to use on a private home network - certainly better than plain http. Lots of noise - they did ot for commodity., to make it easy and transparent having a reasonable https connection to the router. And who says that this certificate is revoked? Leaving this alone, strongly doubt this is the issue here.

       

      DNS queries don't trigger any connecitons, they just return an A record with an IPv4 address (or a list of addresses), e.g. for www.google.com And no, this router class does not intercept any https connection, too.


      Show us the URL you try to access. Check a simple dig or nslookup for the FQDN when using the router DNS res. when using the direct DNS query. Somehting simple like

      nslookup www.google.com


      Your router Internet Interface is configured to use the same DNS IP address(es) as you try internally for a direct query? Simple test:

      nslookup www.google.com

nslookup
> server 8.8.8.8
> www.google.com

      DNS IP and Google FQDN just used as an example.

       

      • SomeDudeX's avatar
        SomeDudeX
        Aspirant
        Jan 28, 2020

        schumaku - I appreciate the detailed response.

         

        Yeah that's the behaviour I'm expecting/hoping for. Not at all what is happening though.

         

        >strongly doubt this is the issue here.

         

        Well the one seems to be triggering the other. The router appears to be pointing all DNS requests at the router IP (it's now invalid cert). This is what DNS to auto looks like (both on router and connecting devices):

         

        PS C:\Users\AN> nslookup

        Default Server: www.routerlogin.com
        Address: 192.168.1.1

         

        PS C:\Users\AN> nslookup google.com

        Server: www.routerlogin.com
        Address: 192.168.1.1

        Name: google.com
        Address: 192.168.1.1

         

        PS C:\Users\AN> ping google.com
        Pinging google.com [192.168.1.1] with 32 bytes of data
        Reply from 192.168.1.1: bytes=32 time=4ms TTL=64
        Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
        Reply from 192.168.1.1: bytes=32 time=3ms TTL=64


        PS C:\Users\AN> ping community.netgear.com
        Pinging community.netgear.com [192.168.1.1] with 32 bytes of data
        Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
        Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
        Reply from 192.168.1.1: bytes=32 time=2ms TTL=64

         

        Firefox - refuses cert because it's obviously not valid for google domain google cert - https://i.imgur.com/pk9wG2H.png

         

        Chrome - google.com asking me for my (portal) login on chrome - https://i.imgur.com/xn3ZfjZ.png

        (That's new behaviour - pretty sure they both refused yesterday)

         

        michaelkenward Yep. Everything top to bottom is affected - TV, firestick, laptops, laptops, iphones. The only devices that are working are the ones specifically told to ignore the router for DNS. 

         

        Doesn't really matter...different brand router is on the way already. Obvious issue of nothing works aside it doesn't fly for my usage case (running a pihole). And this blend of compromised certs & silent redirects is making me a little wary of MITM - though seems unlikely