Anyone been seeing or know why Openwrt OS seems to constant checking ncc.avast.com? I don't think I have any "extra" package added would do so... Anybody know why or what is the purpose to query on it?
This is just a stand alone router with Quectel cellular module on it and NO DEVICE is connected to the router.
How are you getting the logs?
Openwrt wouldn't be doing it by default, you must have installed something on the router.
I follow this link from OpenWRT documentation:
https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wireshark
but instead I did it on interface wwan0 instead of the eth1. Meaning this capture is done directly on the router
ya, I was wondering if anyone had this experience. So I probably would need to uninstall package per package. But my defaultl firmware is pretty "clean" the only added package I add was bandwidth monitor and banIP. I already remove banIP, I guess I will try remove Bandwidth Monitor, but not sure why these would do that. I also did a string search on the OpenWRT source code directory but couldn't find anything either... weird:
grep -r "ncc.avast.com" /OpenWRT/
How are you getting the log data, though? Is there a computer connected to the router that is reading the tcpdump data?
Curiously, the 'ncc' part supposedly stands for "Network Connectivity Check" according to this from the Avast forum.
And .edgesuite.net is an Akamai Technologies CDN.
So a bit more information. I've did tcp dump and in wireshark I see all these query was generated with source IP of IPV6. And then I find you can "log" where these query coming from in the DHCP/DNS setting to syslog. Which I did. And look at the syslog, is there any way I can find out what program or process are doing the query?
here is using netstat
What are all these IPV6 come from anyway? Sorry I am not network savvy at all.
I am connected to the router from my computer but my computer (windows 11) where the interface connected to the router, I didn't specify any gateway nor DNS server, so these query couldn't be coming from my computer, plus I would think wireshark would show the source IP being my computer, but it doesn't, it just show these IPV6 address (or it seems to be IPV6 right)?
The computer is likely sending these DNS requests to the router, and the router is then, in turn, sending the DNS queries out to external servers.
To prove or disprove this, you can try the following:
To be clear, if the windows machine (or really any computer) is connected to the router and is able to reach the internet, it will almost certainly be doing DNS queries for all sorts of things.
This statement appears to be incorrect or misleading as you have a Windows 11 machine connected to the router in order to see the wireshark data.
ok, thx, that was my next step, I will disconnect my computer and go into the router via the cellular side and see... I didn't think the computer is capable of sending dns to the router without a gateway or dns server specified in the nic interface. And second, I didn't think about that because the source IP wasn't my computer (which is 10.10.4.200) and it is all IPV6. Thank you!
i give it a 99% chance you are running avast antivirus SW running on your windows 11 computer.
I agree.... a quick search on the OP's computer will almost certianly reveal AVAST is installed.
Proving that the Windows 11 machine is the source of the vast majority of the DNS queries is simple -- prevent it from accessing the internet enitrely.
... and is also a PITA to uninstall, intentionally.
IPv6 auto configuration will set all of those things for you. Whether that's via SLAAC (stateless autoconf) or DHCP6 isn't really relevant, they both Just Do It.
I'm almost certain you have Avast installed on your PC.
Yes, on the computer (not mine but the test PC that connect to the router) has Norton Antivirus running. But then again, on the interface of that NIC that is connectted to the router, there is no gateway nor DNS server configured, so that made me think no way the router would route DNS query to the router... but I guess it does. So as soon as I disconnect the router we will see...
Ok, so it seems it was the computer that is connecting to it even though no DNS or Gateway was specified. So then how the heck did the computer know to send DNS query to the router? Meaning how does it even know what IP or port to send to since on the NIC there was nothing defined? Meaning does OpenWRT some how "broacast" to the network says that "hey I got DNS server here, pleease route the DNS query to me"? Or how else, if my compute is on 10.10.4.100 and the router is on 10.10.4.200 and that the gateway and dns is not defined onthe nic. How does it know to send DNS query to 10.10.4.200?
Here is my computer nic card setting:
You said it was IPv6 traffic... so if Windows had IPv6 enabled, that would not have been affected by the IPv4 settings.
Now that we know your DNS queries were indeed coming from the computer...
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
sorry, can I ask about how can I block DNS query then? And again, how does my cojmputer (even if is IPV6) know to send query to the router? Is there a way to NOT have OpenWRT broadcast it's presense? I know this might not make sense, but how can I only allow devices that DID USE the Openwrt as their gateway to allow DNS querys?
Thank you for your help!
