NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

owtluke's avatar
owtluke
Aspirant
Feb 18, 2021

Orbi Pro SRR60 router hijacking DNS queries

Network setup: 1 Orbi Pro SRR60 router + 3 SRS60 satellites PFSense firewall acting as DHCP server Pihole DNS server   Before firmware upgrade: All clients (including the Orbi devices) are assi...
antinode's avatar
antinode
Guru
Feb 18, 2021

> Upgraded to firmware 2.6.0.108. [...]

 

   From?

 

> All clients (including the Orbi devices) are assigned the pihole
> server for DNS queries. Nothing has changed from a DHCP perspective.

 

   Really?  I know nothing, but I'd expect the DHCP server in a Netgear
router to offer itself as the DNS server for a DHCP client.

 

> The Orbi router is intercepting the DNS requests and resubmitting them
> itself on behalf of the client. [...]

 

   I'd expect that (or something like that).  The router needs to deal
with special names like "orbilogin.com".  But the implementation of that
"feature" might have changed.

 

> [...] roll back the firmware to the previous version. [...]

 

   Which was?

owtluke's avatar
owtluke
Aspirant
Feb 18, 2021

>> Upgraded to firmware 2.6.0.108. [...]

>

>From?

 

The old firmware is 2.5.2.104

 

>Really? I know nothing, but I'd expect the DHCP server in a Netgear
>router to offer itself as the DNS server for a DHCP client.

 

I would disagree. The router is running in AP mode, not router mode. I expect it to be transparent in the whole chain and not do anything with the DNS. The clients clearly show the pihole as the DNS server, so the DHCP requests are being passed through unmolested. But in the end it is the router making the request on behalf of the client. This is the core issue. I have a suspicion it is an attempt to collect DNS statistics.

  • antinode's avatar
    antinode
    Guru
    Feb 18, 2021

    > [...] The router is running in AP mode, not router mode. [...]

     

       Drat.  If only my psychic powers were greater, then I might have
    divined that from your original problem description.  Foolishly, I
    thought that "router" meant "router".

     

    > [...] I expect it to be transparent in the whole chain and not do
    > anything with the DNS. [...]

     

       Prepare for disappointment?

     

    > [...] I have a suspicion it is an attempt to collect DNS statistics.

     

       Many things are possible, but I have a suspicion that it has
    something to do with dealing with special names like "orbilogin.com".
    Which might be expected to work, even when the router is configured as a
    WAP.

     

       One of us could see if that behavior changed with the firmware.  If
    so, then the change might have been intentional.