NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

mludd's avatar
mludd
Follower
Mar 10, 2017
Status:
Unspecified

Option to disable DNS relay in AC1900 EX7000 wifi extender/access point

Hi,

 

So I've noticed that the AC1900 EX7000 wifi extender/access point seems to have an always-on DNS server/relay that there is no way to disable. I'm not at all comfortable with this and would very much appreciate a way to disable this.

 

Description of behavior

 

For this test of this behvaior the following hosts were used:

  • ptolemy - Local DNS server, IPv4 address: 192.168.1.210, connected to switch, it both acts as a caching DNS server (using 8.8.8.8 and 4.4.4.4 for outgoing requests) and is the master server for a local top-level domain, .pantburk
  • icarus - The AC1900 EX7000 extender acting only as a WAP, IPv4 address: 192.168.1.211
  • bilbo - My personal laptop, IPv4 address: 192.168.1.27, connected wirelessly via icarus

Testing

Requesting the IP address for ptolemy from bilbo looks fine:

 

$ nslookup ptolemy
Server:		192.168.1.210
Address:	192.168.1.210#53

Name:	ptolemy.pantburk
Address: 192.168.1.210

Seemingly ptolemy replied to the request and gave its own address as the reply. Nothing funny-looking so far.

 

Now let's first verify that this isn't a real domain name, we'll check on ptolemy if it knows of this domain name:

$ nslookup www.mywifiext.net
Server:		192.168.1.210
Address:	192.168.1.210#53

** server can't find www.mywifiext.net: NXDOMAIN

From this we can conclude that the only known DNS server on the network doesn't know of this domain.

 

 

Next we'll try requesting the domain www.mywifiext.net from bilbo:

 

$ nslookup www.mywifiext.net
Server:		192.168.1.210
Address:	192.168.1.210#53

Non-authoritative answer:
Name:	www.mywifiext.net
Address: 192.168.1.211

Well that's clearly the IP address for icarus, which also happens to be the only device on the network which is situated between bilbo and ptolemy.

 

 

Luckily I was monitoring incoming traffic on port 53 on ptolemy:

 

$ sudo tcpdump -vvv -s 0 -l -n port 53
tcpdump: listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
509 packets received by filter
0 packets dropped by kernel

As can be plainly seen, ptolemy didn't even receive that request, which can only lead to the conclusion that icarus intercepted the request and replied to it with its own IP address.

 

Final words

As far as I'm concerned right now I have a rogue DNS server on my network. Even though on the surface it only seems to reply to lookup requests for www.mywifiext.net it's clearly listening to traffic on port 53 an that's just unsettling.

 

I would very much appreciate a firmware update that makes it possible to disable this service using the web UI.

 

No CommentsBe the first to comment