Help with system logs

Hello all,
Thanks for taking the time to read this. As far as tech saavy goes, I'm probably a 5/10. When it comes to networking, even less. I barely understand most of the posts in this forum, so please bear with me and any replies that you feel like leaving, just keep in mind, "normal speak" or high levels of translation would be as helpful as possible. Or...just tell me what I should do and I can knock it out.

Anyway, I have purchased a commercial router about a month ago that already has OpenWRT on it (IQRouter). We had considerable difficulty with it at first but most of the issues were mine, or my ISP, but the IQRouter folks have been very very helpful with just about everything. And...for the most part, things are waaaay more stable now, we are thru the hard part. But...still a couple issues to work thru.

The only thing that I am very much stuck on at the moment is the IQRouter tech specifically had alerted me to some system logs that she deemed as "very susupicious"...and I just can't figure out what's going on. I would like very much for someone to help me figure out how I can eliminate these things, or if I even should try to. The IQRouter tech said that the router and internet in the house would be more stable if I would have some of these issues potentially eliminated.

  1. Potential DNS rebinding attacks. How do I determine what machine is getting attacked or where this originated from? I see the attacks occurring very regularly in the logs, but I have no idea how to stop this or even to know what machine/IP this is coming from inside the house. I've taken several measures to clean high usage PCs from malware, adware, junkware, using lots of tools. Despite google searches, I can't even figure out what the number means after the dnsmasq text. Can somebody explain that to me? The below log message is repeating many times a day all throughout thy day. This is not a domain any in the house are familiar with - although I do have teenage kids, so that's kinda why I want to pinpoint the devices this is coming from. I have a general high level idea of the rebind attack and what it is (sort of). But I don't know what machine this is coming from or what browsers it is occurring in. And I have like 6 PCs in the house, so protecting them more is fine across the whole, but I still would like to know if I can pinpoint where this is coming from.

Sun May 17 12:57:58 2020 daemon.warn dnsmasq[3657]: possible DNS-rebind attack detected: pft.surveysedge.aresqa.pdx2.pftaresdev.rc.rcluster.io

  1. There are some other logs that aren't making any sense either and I'm trying to determine if these are bad/negative and how to fix. I know what these machines are but these machines are usually pretty dormant and I'm trying to figure out what activities are trying to occur here. Is there a way to go back to these clients and figure out what software/services triggered these requests? Is there a way to determine if these requests were malicious in any way?

Sun May 17 10:02:37 2020 daemon.warn miniupnpd[2432]: upnp_event_process_notify: connect(192.168.7.102:2869): Operation timed out
Sun May 17 10:51:25 2020 daemon.warn miniupnpd[2432]: upnp_event_process_notify: connect(192.168.7.103:2869): Operation timed out

  1. Several clients, throughout the day are kicking off the wifi and then reconnecting - whenever they want. This interruption causes for some slight headaches in video calls and gaming. Can anybody tell me why I would see constant connections and then reconnections throughout the day? The logs are littered with these things below all day long. I assume some of these connects and reconnects are normal in the logs, but should they be attributing to wifi interruptions on the clients?

Sun May 17 08:30:25 2020 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 0a:b1:5a:18:f1:3b
Sun May 17 09:00:01 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED 0a:b1:5a:30:45:25
Sun May 17 09:00:03 2020 daemon.notice hostapd: wlan1: AP-STA-CONNECTED 0a:b1:5a:18:f1:3b
Sun May 17 09:10:37 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 9c:ae:d3:82:b5:68
Sun May 17 09:10:37 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 9c:ae:d3:82:b5:68
Sun May 17 09:20:21 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED f0:a3:5a:77:ee:00
Sun May 17 09:20:21 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED f0:a3:5a:77:ee:00
Sun May 17 09:20:22 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 9c:ae:d3:82:b5:68
Sun May 17 09:20:22 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 9c:ae:d3:82:b5:68
Sun May 17 09:20:23 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 52:d4:f6:0b:b1:59
Sun May 17 09:20:24 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 52:d4:f6:0b:b1:59
Sun May 17 09:20:26 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 34:12:98:3b:0a:45
Sun May 17 09:20:26 2020 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 34:12:98:3b:0a:45
Sun May 17 09:27:52 2020 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED f0:a3:5a:77:ee:00

What version of OpenWrt are you using? Is it an official stable release directly from openwrt.org, or is it a formed version customized by The vendor?

That's a little hard to figure out since this is their branded router. They call their GUI version 3.3.2. I couldn't find anywhere in the router menus that refers to the OpenWRT version itself. I can say this, I've used OpenWRT routers in the past and recently. While the screens are IQRouter branded screens, the menus are seem very much the same. Status, Configure, Advanced, etc. I'm not certain but I think very little is removed from the standard OpenWRT menu options.

I'm getting this about 3-5x per day now.

Sun May 17 18:45:24 2020 daemon.warn dnsmasq[3657]: possible DNS-rebind attack detected: pft.surveysedge.aresqa.pdx2.pftaresdev.rc.rcluster.io

On any normal OpenWrt release, it is very easy to identify -- it is presented at the bottom of the main LuCI login page and again in the system status the moment you log in.

You could try ssh-ing into the device and running this command:

cat /etc/banner

On any OpenWrt device, you will see something resembling this:

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07.2, r10947-65030d81f3
 -----------------------------------------------------

or, even if it is highly customized, usually there is some information about the origin of the firmware in the output of this:

cat /etc/os-release
NAME="OpenWrt"
VERSION="19.07.2"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 19.07.2"
VERSION_ID="19.07.2"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r10947-65030d81f3"
OPENWRT_BOARD="ath79/generic"
OPENWRT_ARCH="mips_24kc"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 19.07.2 r10947-65030d81f3"

What do you see when you run those commands?

What you have is clearly not official version of OpenWrt, but it might have some commonalities, depending on the version. Beyond that, you might also be able to install an official release build if your device is supported -- if that is of interest to you.

Anyway, depending on the answers from above, you may not be able to get much relevant help here -- unless someone is specifically familiar with the version your system is using, it is unlikely that anyone would know what customizations might have been made that could affect this situation. But let's start with the information in the banner and in the os-release files.

A dns rebind error comes when an upstream dns server hands out private ip addresses to public clients for a given dns name. A public dns server should never be doing this.

When I try to resolve the name, I am in fact receiving a private ip address.

Non-authoritative answer:
Name:	pft.surveysedge.aresqa.pdx2.pftaresdev.rc.rcluster.io
Address: 10.40.255.246

So this means someone has misconfigured their dns and the error you are getting is indeed correct.
The real question seems to be: what on your network is trying to contact this host and why?

EDIT: the owner of that dns name is Riot Games (rcluster.io). They run League of Legends mobile versions in the US. So this error likely comes because someone in your house is playing one of Riot Games' apps on their mobile phone.

1 Like

Hey everyone, thanks for the responses.

@psherman, I ssh'ed into the router, and IQrouter has it's own banner image and lists it's own version number. So it still shows the 3.3.2 version number, not the OpenWRT version.

I then tried your second part and listed the os-release info. Here's the result.
NAME="OpenWrt"
VERSION="SNAPSHOT"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt SNAPSHOT"
VERSION_ID="snapshot"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r12553-3666c67"
OPENWRT_BOARD="ramips/mt7621"
OPENWRT_ARCH="mipsel_24kc"
OPENWRT_TAINTS="no-all"
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt SNAPSHOT r

So what is the device -- brand + model? And if supported, are you able to upgrade to an official release build of OpenWrt?

@dl12345
Great info! So...I talked to my son. He plays Valorant and it is in fact from Riot Games (it's a new game just came out of beta a couple weeks ago). He said that as an anti cheat tactic they install a rootkit on his machine (it's not a phone, it's a Win 10 PC). I generally know what that means, but what I don't know is...is that rootkit making that entry in the router system logs. Should I just allow that domain in the router whitelist and that will make that go away?

Speaking of DNS I've tried a couple custom ones in the router....Google....8.8.8.8 and 8.8.4.4 and then I've been using Verisign also. which is 64.6.64.6 and 64.6.65.6. But long story short, I've been getting that rebind error on both those custom DNS services.

It's an IQRouter V3, which you can find on Amazon.
Here's a link to their tech specs page.
https://evenroute.com/techspecs

I get that this is just somebody else's manufactured router and they have re-branded it with a custom version of OpenWRT on it. But at the same time, they have their own custom algorithms which help with bufferbloat in terms of traffic management. So I'm not sure I want to lose that functionality.

Quick history lesson, I bought this router because I was getting constant bufferbloat scores of F's, D's and C's on DSLRouter's speed test page on a lot of clients in the house. We had lag, bufferbloat, and lots of connection problems even with a high speed ISP service into the house. It was a little maddening.

So....It's the first thing they mention in the bullet point features on the tech spec link above. Now with the algorithms on this router, I'm getting mostly A's or A-'s all the time on bufferbloat on my speedtests. Not only that but there are other features in the router that let them see my logs if I push them to them and some other nice "support things".

I'm open to the conversation of switching, if someone persuaded me, but I think I would need to be persuaded.

It doesn't appear that there is support for the IQRouter in the official release builds, so that's a moot point.

But given that this is not a standard version of OpenWrt, I would recommend that you ask questions on their community forums (or reddit or wherever there is a user community for this device), since there may well be considerably different characteristics between the custom version they have created and the official one.

Regarding your Riot Games question -- it is possible someone here will know the details of what they are doing, but root-kits are typically a very heavy-handed and questionable method of 'securing' software. But maybe there is information related to the purpose of that server somewhere in discussions around the internet. And you could always try blacklisting it and see what happens to the game.

Thank you, I will check elsewhere for some other forums. I only started here because there are many other threads that deal with this router and it is based on OpenWRT. Thank you so much for answering these questions.

Nope. Riot Games has just misconfigured their DNS. They're serving the a private address to public clients, which they should not be doing.

I'm not sure you can whitelist it per se. It's a valid error that dnsmasq is putting out. I don't think it will stop unless you turn off the rebind protection.

Thanks dl!
so....in other words, I have no control over this log error, it's Riot Games that's doing it, and for right now it's just an annoyance in the logs. I guess I could contact them directly or post on a gaming board somewhere that this is happening - maybe that gets their attention???!?. There certainly is a lot of heated debate over this rootkit anyway, as people are trying to evaluate the beauty of cheat free gaming vs giving a company control at a kernal level to their own PCs.

In the meantime, I started getting another rebind attack in the logs for a different domain, but wouldn't you know it, it's not there today. I'll wait til it comes back and post it again here.

Back to all this, I assume I don't want to turn off the rebind protection and it truly is protecting me from those types of attacks. I'm just wondering what is the worst....a potential actual rebind attack or my router tripping over it's own two feet due to Riot Games not having their DNS together. I guess what I'm saying is the IQRouter folks told me that the rebind attacks were causing some performance issues with the router. To what extent, I don't know. I guess I would have to ask them.

Why are all these posts being flagged, there is no blatant spamming going on, I'm trying to get a problem solved.