Reply

Router DNS causes "Connection not secure" - on all websites & devices

SomeDudeX
Aspirant

Router DNS causes "Connection not secure" - on all websites & devices

Nighthawk AX4: RAX40
Firmware Version V1.0.3.64_1.0.1 (latest)

 

All works as expected, except any DNS query that comes near the router triggers a "connection not secure". All devices, all operating systems. Doesn't matter whether I leave DNS on auto or log in to the router and manually specify a DNS server (8.8.8.8 or 1.1.1.1).

 

I know the router works fine because if I set the DNS on the individual device it works as expected.

 

From the broken certificate the browser complains about I gather this is connected to the portal (routerlogin.net) but I really don't need a router that injects broken certificates into traffic silently that isn't even portal related. It's a security risk, unwanted and well pretty broken.

 

I gather it's related to this security hole discovered a couple days back:

https://searchsecurity.techtarget.com/news/252477198/Netgear-under-fire-after-TLS-certificates-found...

https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9

 

Netgear's solution (posted 3 days ago) is to add this broken certificate as force trusted in the browser (the worst possible thing you can do for compromised certificates):

https://kb.netgear.com/000061586/I-get-a-security-warning-in-my-browser-when-I-try-to-log-in-to-my-N...

...doesn't even fix the issue since not all devices can force a different DNS or side-load a certificate.

 

So before I send this thing back as defective - any ideas? Really thinking I made a mistake here

Model: RAX40|Nighthawk AX4 4-Stream WiFi Router
Message 1 of 4

Re: Router DNS causes "Connection not secure" - on all websites & devices


@SomeDudeX wrote:

 

All works as expected, except any DNS query that comes near the router triggers a "connection not secure". All devices, all operating systems.


All browsers?

Just another user.

My network DM200 -> R7800 -> GS316 -> PL1000 -> Orbi RBR40 -> Orbi RBS50Y -> RBS40V
Message 2 of 4
schumaku
Guru

Re: Router DNS causes "Connection not secure" - on all websites & devices

The security hole - I've pointed out for years that the private key is available on any Netgear device (that's the one and only problem...) - which isn't affecting virtually anything. Still good enough to use on a private home network - certainly better than plain http. Lots of noise - they did ot for commodity., to make it easy and transparent having a reasonable https connection to the router. And who says that this certificate is revoked? Leaving this alone, strongly doubt this is the issue here.

 

DNS queries don't trigger any connecitons, they just return an A record with an IPv4 address (or a list of addresses), e.g. for www.google.com And no, this router class does not intercept any https connection, too.


Show us the URL you try to access. Check a simple dig or nslookup for the FQDN when using the router DNS res. when using the direct DNS query. Somehting simple like

nslookup www.google.com


Your router Internet Interface is configured to use the same DNS IP address(es) as you try internally for a direct query? Simple test:

nslookup www.google.com

nslookup
> server 8.8.8.8
> www.google.com

DNS IP and Google FQDN just used as an example.

 

Message 3 of 4
SomeDudeX
Aspirant

Re: Router DNS causes "Connection not secure" - on all websites & devices

@schumaku - I appreciate the detailed response.

 

Yeah that's the behaviour I'm expecting/hoping for. Not at all what is happening though.

 

>strongly doubt this is the issue here.

 

Well the one seems to be triggering the other. The router appears to be pointing all DNS requests at the router IP (it's now invalid cert). This is what DNS to auto looks like (both on router and connecting devices):

 

PS C:\Users\AN> nslookup

Default Server: www.routerlogin.com
Address: 192.168.1.1

 

PS C:\Users\AN> nslookup google.com

Server: www.routerlogin.com
Address: 192.168.1.1

Name: google.com
Address: 192.168.1.1

 

PS C:\Users\AN> ping google.com
Pinging google.com [192.168.1.1] with 32 bytes of data
Reply from 192.168.1.1: bytes=32 time=4ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=3ms TTL=64


PS C:\Users\AN> ping community.netgear.com
Pinging community.netgear.com [192.168.1.1] with 32 bytes of data
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64

 

Firefox - refuses cert because it's obviously not valid for google domain google cert - https://i.imgur.com/pk9wG2H.png

 

Chrome - google.com asking me for my (portal) login on chrome - https://i.imgur.com/xn3ZfjZ.png

(That's new behaviour - pretty sure they both refused yesterday)

 

@michaelkenward Yep. Everything top to bottom is affected - TV, firestick, laptops, laptops, iphones. The only devices that are working are the ones specifically told to ignore the router for DNS. 

 

Doesn't really matter...different brand router is on the way already. Obvious issue of nothing works aside it doesn't fly for my usage case (running a pihole). And this blend of compromised certs & silent redirects is making me a little wary of MITM - though seems unlikely

 

Message 4 of 4
Top Contributors
Discussion stats
  • 3 replies
  • 1230 views
  • 0 kudos
  • 3 in conversation
Announcements