Nighthawk MR60 spying on my Internet usage

Images did not go and cannot edit my post.  Let me try that again...

Don't know why the images won't show.  Here is a link to a post that includes the images:

https://www.reddit.com/r/NetworkSecurity/comments/myadne/i_installed_a_new_nighthawk_ax1800_wifi_6_m...

For the ocasional pings to netgear, that is to determine if you have a functional WAN connection. On the web UI, the internet status box relies on that data, beyond that no special data is sent. Basically if it fails to get a ping reply from netgear then it will not list the usual statua of "GOOD" in the Internet box on th basic page.

As for DNS, the router has a built in DNS server, and it will effectively cache DNS lookups from the 2 DNS servers in the internet setup page. This is why if you use a tool like GRC's DNS benchmark https://www.grc.com/dns/benchmark.htm

You will see that especially for cached results, the router is often the fastest to respond.

Many routers do this, and the DHCP server on the router will usually automatically assign the local IP of the router as one of your DNS servers.

If you would like to change that behavior, then you can by simply not using the router's DNS server, and if you are up for a thoroughg DNS benchmark, you can optimize things to pick the fastest servers for your specific location.

Hi, @Razor512.  Thanks for the reply.

FYI the MR60 is in Access Point (bridge) mode so it is not providing any DNS services.

Did anyone notice all the reverse IP lookups it's doing?  Bunch of cloudflare sites in addition to a ton of other lookups.

I need to turn off whatever is causing so many DNS lookups because the network is being provided via a Nighthawk LAX20 over LTE and I can't have all this gratuitous traffic being generated by the MR60.  It's costing me too much data on Verizon.

Clearly the MR60 isn't doing the lookups for no reason, it must also be connecting to the various sites.

At first I thought it might be the Anywhere Connect, opening sessions out through the LAX20 + Verizon doubl NAT to Cloudflare infrastructure, so that the Nighthawk app can get back through the double NAT to reach the MR60, but I have the Anywhere Connect turned off, so it shouldn't be doing that.

The MR60 is the most active device on the network.  It's rediculous that a router that isn't even serving as a router would be the most active device on my network.  😞

I ultimately blocked the MR60's ability to reach port 53 on my pi-hole DHCP+DNS server a la (where 12.168.1.2 is the MR60 via DHCP reservation):

$ sudo /sbin/iptables -A INPUT -s 192.168.1.2 -i eth0 -p udp -m state --state NEW -m udp --dport 53 -j DROP

$ sudo /sbin/iptables -A INPUT -s 192.168.1.2 -i eth0 -p tcp -m state --state NEW -m tcp --dport 53 -j DROP

Now the MR60 is no longer the most active client using my Verizon LTE data.  But this is not a perfect solution.

I want the router to be able to check for firmware automatically.  It can't do that if it can't use DNS.

I just need to shut down whatever is doing all the gratuitous lookups and related traffic.

So far the images are not loading and the reddit post has no images.

Wanted to also add that some netgear products will do OUI lookups in order to provide more relevant information on the attached device list, which functions even when a device is in AP mode.

While none of the images are working yet, are you able to do a packet capture of the lookups it is doing to see what data is actually being sent and received?

Aside from that you will occasionally see traffic to one of the Netgear update servers when it checks for firmware updates. If you want to block all of those functions, you can keep it in router mode, and assign it a static IP for the web UI, disable its DHCP server, and then connect it to your main router viia a LAN to LAN instead od LAN to WAN, then all of those requests will effectively be sent to a physical Ethernet port has has no connection.

Wanted to also add, if it supports the Netgear Armor service then the processes associated with it will remain partially active in performing various lookups on devices that connect to the network in order to deliver mobile alerts to the nighthawk app.

@Razor512 Weird. Reddit shows the images to me but only after I'm logged in.

Here's another try:

https://www.reddit.com/user/AEtherScythe/comments/mym3rn/i_installed_a_new_nighthawk_ax1800_wifi_6_m...

I did the math, just based on the screenshots that I shared.  The MR60 is doing just over 10,000 DNS queries a day.
Shouldn't be doing more than a small handful of queries a day to check for firmware updates (like once a day at most).

All those other lookups shouldn't be happening.  There should be a straightforward option to turn off whatever it's doing.

That amount of traffic is strange. The only feature that will do a ton of requests that I know of under normal circumstances, is the Netgear Armor function where it will do a ton of stuff in the background when active, especially if it is doing a vulnerability scan.

Hi, @Razor512.

I wanted to ask for clarification on your earlier insights.

If I switch from AP to regular/router mode, and switch the physical connection and DHCP reservation for LAN to LAN instead od LAN to WAN, turn off DHCP, and all other unwanted services, does that effectively block all of the things you mentioned?

1) OUI lookups in order to provide more relevant information on the attached device list

2) Connections to Netgear update servers to check for firmware updates

3) Netgear Armor lookups -> alerts to Nighthawk app

And another I don't need:

4) Connections to Netgear for Nighthawk app, "Anywhere Connect" tunneling (which I've already disabled anyway, but at this point I trust nothing about what this router claims to be doing and not doing).

I need a complete solution, for turning those things off.  I'm not using the Nighthawk  since it can do next to nothing for me re: the advanced settings I need for my configuration.

I have no interest in paying money to Verizon for gratuitous traffic going to Netgear and related cloudflare infrastructure.

Thanks for your help so far.  I appreciate it.

When you do a LAN to LAN setup, (requires you to change the LAN IP of the router, e.g., if it is 192.168.1.1, change it to something else in the same range, e.g., 192.168.1.10 or anything not being used.

Then disable DHCP on the MR60. After disabling the DHCP server, then do a LAN to LAN connection, and it should still work pretty seamlessly.

All WAN directed stuff should stop at that point, though certain LAN facing items will still be present, such as when it scans for devices on the LAN as the attached devices list will still work, it just won't be able to grab additional infor from the WAN.

Only downside is that you will no longer get automatic firmware updates, and the manual check will also fail, thus updating will require you to go to https://www.netgear.com/support/download/ and manually download updates and inftall them.

To get more insight into what is going on here, I grabbed the /var/log/pihole.log* files for the last 7 days and checked just what the MR60 (as client 192.168.1.2) is trying to resolve.  The list is pretty "telling."   It's definitely doing all the queries that any/all of my devices are doing, but also a huge number of reverse IP lookups.

$ grep 'from 192.168.1.2' pihole.log* | sed -n 's/.*] \([^ ]*\) from.*/\1/p' | sort | uniq -c | tee mr60.txt

I'll show just the most-used lookups.  For sure many of these are Netgear related, but a ton of them are not.

And when I look at the complete list I can see many many domains being referenced which are unique to my own Internet usage, such as certain podcasts and such that only I listen to and nobody else does.

5419 www.netgear.com
1516 time-b.netgear.com
1031 advisor.ngxcld.com
186 mesu.apple.com
126 www.apple.com
121 time-c.netgear.com
117 init-p01st.push.apple.com
92 lb._dns-sd._udp.net
88 1-courier.push.apple.com
85 1-courier.sandbox.push.apple.com
69 apple.com
62 suconfig.apple.com
56 xbroker-z2-i12.ngxcld.com
52 xbroker-z2-i16.ngxcld.com
52 api.smoot.apple.com
51 gspe1-ssl.ls.apple.com
51 e6858.dscx.akamaiedge.net
50 gsa.apple.com
48 cl2.apple.com
48 appleid.apple.com
46 xbroker-z2-i17.ngxcld.com
44 xbroker-z2-i24.ngxcld.com
43 init-p01md.apple.com
43 init.ess.apple.com
42 gs-loc.apple.com
42 gateway.icloud.com
41 uemm.dynatrace.ford.com
40 xbroker-z2-i8.ngxcld.com
40 xbroker-z2-i11.ngxcld.com
40 guzzoni.apple.com
38 xbroker-z2-i22.ngxcld.com
38 xbroker-z2-i13.ngxcld.com
38 radarsubmissions.apple.com
37 outlook.office365.com
37 gsp-ssl.ls.apple.com
36 init.itunes.apple.com
35 configuration.apple.com
34 xbroker-z2-i23.ngxcld.com
34 xbroker-z2-i15.ngxcld.com
33 p101-keyvalueservice.icloud.com
33 p101-fmfmobile.icloud.com
33 http.fw.updates1.netgear.com
32 xbroker-z2-i6.ngxcld.com
32 xbroker-z2-i4.ngxcld.com
32 xbroker-z2-i14.ngxcld.com
31 gateway.fe.apple-dns.net
30 xbroker-z2-i7.ngxcld.com
30 xbroker-z2-i19.ngxcld.com
30 gspe35-ssl.ls.apple.com
28 xbroker-z2-i5.ngxcld.com

Looking into the top reverse lookups it's almost all cloudfront:

$ cat /tmp/mr60arpa.txt | while read count rev ; do ip=$(echo $rev | awk -F. '{print $4 "." $3 "." $2 "." $1}'); echo $count $(getent hosts $ip) ; done
1121 13.226.13.13 server-13-226-13-13.ord51.r.cloudfront.net
1121 13.226.13.120 server-13-226-13-120.ord51.r.cloudfront.net
1120 13.226.13.99 server-13-226-13-99.ord51.r.cloudfront.net
1120 13.226.13.124 server-13-226-13-124.ord51.r.cloudfront.net
660 99.84.160.7 server-99-84-160-7.ord52.r.cloudfront.net
660 99.84.160.32 server-99-84-160-32.ord52.r.cloudfront.net
660 99.84.160.25 server-99-84-160-25.ord52.r.cloudfront.net
660 99.84.160.115 server-99-84-160-115.ord52.r.cloudfront.net
180 99.84.174.69 server-99-84-174-69.ord52.r.cloudfront.net
180 99.84.174.66 server-99-84-174-66.ord52.r.cloudfront.net
180 99.84.174.6 server-99-84-174-6.ord52.r.cloudfront.net
180 99.84.174.22 server-99-84-174-22.ord52.r.cloudfront.net
1 99.84.79.90 server-99-84-79-90.hio50.r.cloudfront.net
1 54.239.169.81 server-54-239-169-81.kix56.r.cloudfront.net
1 13.33.165.77 server-13-33-165-77.yto50.r.cloudfront.net
1 99.84.79.70 server-99-84-79-70.hio50.r.cloudfront.net
1 54.230.155.66 server-54-230-155-66.icn51.r.cloudfront.net
1 54.239.169.58 server-54-239-169-58.kix56.r.cloudfront.net
1 54.230.155.52 server-54-230-155-52.icn51.r.cloudfront.net
1 54.230.155.50 server-54-230-155-50.icn51.r.cloudfront.net
1 13.33.165.49 server-13-33-165-49.yto50.r.cloudfront.net
1 99.84.79.2 server-99-84-79-2.hio50.r.cloudfront.net
1 54.230.155.23 server-54-230-155-23.icn51.r.cloudfront.net
1 13.33.165.2 server-13-33-165-2.yto50.r.cloudfront.net
1 54.239.169.123 server-54-239-169-123.kix56.r.cloudfront.net
1 13.33.165.107 server-13-33-165-107.yto50.r.cloudfront.net
1 54.239.169.102 server-54-239-169-102.kix56.r.cloudfront.net
1 99.84.79.101 server-99-84-79-101.hio50.r.cloudfront.net

That's just the IPv4 stuff.  I need to see if I can do similar analysis for the IPv6 lookups.

About half an hour ago I posted a detailed analysis of the top 50 lookups the MR60 is doing.
Was my comment deleted by a moderator?

Most modern forum software will use a range of automated filtering functions that will look for patterns such as a large number of URLs posted at once or various keywords. Sadly it is effectively unavoidable with public forums what want to allow for public registrations without annoying screening processes such as requiring the first few posts to be moderator approved.
I have moderated on a different forum in the past and it wasn’t uncommon to see the system block over 100 bot accounts within a single day, and that is with a captcha system. Sadly many mass spamming operations do effectively captcha farming, or sidejacking style malware where someone’s normal activity provides the data that google recaptcha needs.
Overall until something better comes out many forums will have a range of filters and other automations in place to prevent spam, even though that can have false positives (depending on the content).

In focusing more of the core issue, your best bet may be the LAN to LAN setup especially if Netgear armor is enabled and you don't want its cloud related network activity taking place.

The reply that disappeared was mostly just hostnames not URL's.

But anyway, I am keen on trying the LAN LAN mode, but the router is at my elderly parent's house 40 miles away, so I probably won't be able to get down there before Wednesday.

@Razor512 To my knowledge, I never enabled Netgear Armor.

How would I check and how would I disable it?

To me, Access Point mode should be "brick-stupid do nothing nothing but bridge the WiFi to my actual router."

That one button to turn on AP mode should disable all this other gratuitous nonsense.  😕

Typically if you use the nighthawk app to set the device up then it automatically enables Netgear Armor. While more experienced users will be fine without it, if someone is new to computing, or infect their system via malvertising, then armor is pretty useful as if a malicious ad makes it past their adblocker, then at least the malware will not download in the vast majority of situations.

Aside from that, with the AP mode, it may be due to most people wanting to retain as many value add features as possible while in AP mode, as compared to just being a transparent bridge for the WiFi radio.

Since I can't get physically to the site where the routers are installed until tomorrow, I ended up calling BitDefender to have the Armor subscriptions invalidated.  Hoping that will help.

About the detailed analysis I did, which was deleted from this thread.
Here is a much more terse summary.

I could only check on the IPv4 traffic; could not find any way to get meaningful DNS lookups for the IPv6 traffic.

But just looking at the IPv4 traffic from last 7 days, here is the breakdown of the majority of fwd lookups, showing only the base domain from among the many individual sub domain/hostnames.

Fwd lookups -- as you can see, not all Netgear related; many are our general Internet usage.  This constitutes spying...

7131 netgear.com
1773 ngxcld.com
1678 apple.com
234 icloud.com
142 akadns.net
131 akamaiedge.net
84 ford.com
62 apple-dns.net
53 google.com
51 office365.com
40 akamai.net
36 aaplimg.com
30 icloud-content.com
22 cloudapp.net
21 facebook.com
19 ring.com
18 bugsnag.com
17 urbanairship.com
17 mzstatic.com
14 routerlogin.net
14 amazonaws.com

... (partial list)

Reverse lookups:

7858 cloudfront.com

(the only reverse lookup domain seen via IPv4.

There were 15710 IPv6 reverse lookups, which I could not resolve.