DNS Rebind Flooding with query to apd-pcdnwxlogin.teg.tencent-cloud.net

Hi All,

I'm posting this here just in case somebody else also noticed this on their routers. I've only noticed this morning a continuous usage from my CPU threads this past weeks which made me question what is happening. After further analysis, it was the dnsmasq that was eating it up so I enabled logquries in the configuration.

And I saw that I was being flooded for DNS query for apd-pcdnwxlogin.teg.tencent-cloud.net. In my case it's actually not DNS Rebind warning but a NXDOMAIN response since I already blocked it via AdBlock a few months ago (this was when I first noticed those DNS query but only floods during that time few seconds then stops, this time it was almost continuous).

Doing a nslookup for apd-pcdnwxlogin.teg.tencent-cloud.net yields to 0.0.0.1 (I've tried via 1.1.1.1, 8.8.8.8 and 9.9.9.9 all returning the same invalid IP)

Further investigation, out of a total of almost 25 devices that connects to my network, it was only one of devices that is triggering this. It was my own Android device. Below are the details so far of my investigation.

Device: Xiaomi A2 Lite
Android: Stock firmware - Android 10 (not rooted)
**Culprit App**:  **WeChat (version 8.0.24)**

And I think it's the only device that has WeChat installed. I'll be updating this post as I investigate further. So far, after doing a "Force Stop" I haven't seen the DNS query flooding.

Update 1: It is confirmed, it is the WeChat app.

2 Likes

The IP is not invalid per se, but definitely invalid as a Global response under normal circumstances, as a DSP IP, etc.

You just found a very clever way that app could check for servers running on the machine/local network itself.

See: https://en.ipshu.com/ipv4/0.0.0.1
Also see (same domain, another user): Raspberry Pi 4 WAN port lost connection after period of time

1 Like

Should they ban allowing configuring Public DNS to assign such addresses? Anyway, the actual issue is, why is WeChat flooding the DNS query with it. Now I think the app is a torjan horse hahahaha

And I did saw the other user with the Raspberry Pi, and I think there are 2 or 3 more users having the same issue for the same domain.

Actually after reviewing the router stats for the past months, I think it has been happening in the background without me being the wiser. When I first noticed the DNS Rebinding issue, my router was restarting from time to time. That's when I used AdBlock to block it, so I thought I fixed it but issue was just hidden due to the fact it's now a NXDOMAIN. So it's not showing on the regular logs.

I have noticed that with some apps or devices they will try over and over with NXDOMAIN which I solved by just returning null 0.0.0.0 in DNSMasq:

address=/http://apd-pcdnwxlogin.teg.tencent-cloud.net/#

This returns NXDOMAIN:
address=/http://apd-pcdnwxlogin.teg.tencent-cloud.net/

Some other apps are just the opposite in which returning 0.0.0.0 makes them try over and over so NXDOMAIN works.

More info on the DNSMasq manpage

But your DNS resolver will still be flooded with request.. see my post before yours.. I noticed that my CPU overall usage (4 cpu core router) was always peaking at 25% which means out of the 4 cores always 1 of the core is almost 100% usage.

When I enabled 'logqueries' in the dhcp, that's when I saw dnsmasq is being flooded by the DNS request but my DNS is already returning NXDOMAIN.

It depends on how the app was coded.

Some apps after getting an NXDOMAIN will try again over and over until it actually gets an IP. Others might try to keep connecting to 0.0.0.0 because it was actually a positive response.

Since you were already returning NXDOMAIN and it was still trying to connect, why don't you try returning 0.0.0.0 and see it it stops trying over and over?

1 Like

I didn't post here to find a solution on the NXDOMAIN or DNS REBIND flooding.. i posted here as an FYI to others who might encounter it. And I'm saying that specific to the DOMAIN mentioned, it was the WeChat app that was the culprit. And seeing how the it's doing the flooding, I think the app is like a trojan horse and I've uninstalled it as I feel it's a dubious app doing such a thing.

Again, I wasn't asking for a solution.

1 Like

No problem... just as you left info for others in the future the solution is here for others.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.