Weird DNS requests--am I compromised?

This morning I realized my home server's main disk was completely full. When I looked into why it turned out my Adguard logs were HUGE. Looking into them, since about 13:00 yesterday there has been an absolute explosion of DNS requests from my router, a GWIFI puck running OpenWrt snapshot. It's always to the same two sites (globo.com and cisco.com) and several times a second. I've been running it without issue since may or so, is this a bug or did someone somehow get in?

first one looks like a red top tabloid from south america(?) and the second is a "well known" hardware manufacture with more than one controversy (including backdoors :door: and censorship :face_with_symbols_over_mouth:).

The question I would ask: Which device in your network doing this requests?

EDIT: Some one sabotaged the quote! :see_no_evil:

1 Like
  • Do you have make/model and version info?
  • This is the router, correct?

Does your OpenWrt run a DNS server - or is it the requester of the records?

I would simply run tcpdump to see the SRC of the requests.

1 Like

Thanks for the prompt replies! The adguard instance is running on my server. It shows every deevice on the network as a separate IP, so I'm fairly certain the router isn't just forwarding requests and is actually generating them. Would tcpdump still be useful in that instance?

EDIT: I'll get the exact version info when I get home, but it's whatever build the link that is currently on the wiki for the Google Wifi AC-1304.

There has to be a DNS request going to the DNS Resolver. So the goal is to observe the SRC of the requests in question.

I'm guessing this isn't the OpenWrt, then?

To be clear: Run tcpdump on the DNS Sever/Resolver.

tcpdump -vvn -i ethX port 53

Look for the SRC IP of the DNS requests matching the problem-some domains.

Not really helpful, since I still think you haven't provided sufficient info about your setup,
but I've had this in the past, when my cloud based pi-holes were over exposed to internet.

I mapped the hammered FQDNs to 127.0.0.1, making the requesting hosts (try to) connect
to themselves, when I got bored, I restricted the acess to the Pis in the firewall :wink:

Of course, now that I have the time to run tcpdump the mysterious requests have stopped! According to logs it stopped some time last night. Thanks for the help everyone. I'll keep an eye on it and report back with any new information.

Wow!
I was overwhelmed with DNS requests for "cisco.com" and "globo.com" around the same time as you were. I joined this forum just to reply in this thread.

I had just recently installed Pi-Hole in a Hyper-V VM. It's LAN address is 192.168.0.251.
Not long after, I noticed tons of DNS requests - far more than reasonable for my small LAN - in Pi-Hole's logs. This image shows the impact on my internal DNS traffic.

From my router logs, I was getting these:

[09/Oct/2023 22:38:50] {dns} [ 64419 ] DNS query for name cisco.com returned no records
[09/Oct/2023 22:38:50] {dns} [ 64419 ] Got answer from 192.168.0.251, ttl = 2147483647
[09/Oct/2023 22:38:50] {dns} [ 64419 ] Forwarding reply to 170.254.194.97:23586 id 44294
[09/Oct/2023 22:38:50] {dns} [ 64417 ] Reply from 192.168.0.251
[09/Oct/2023 22:38:50] {dns} [ 64417 ] Truncated answer

and these:

[09/Oct/2023 22:38:50] {dns} [UDP] query from 170.254.193.17:31282
[09/Oct/2023 22:38:50] {dns} question: TXT, cisco.com, id 27823
[09/Oct/2023 22:38:50] {dns} Custom forwarder: 192.168.0.251 returned from pool
[09/Oct/2023 22:38:50] {dns} Custom forwarder: DNS server 192.168.0.251 selected (UDP)
[09/Oct/2023 22:38:50] {dns} [ 64429 ] Querying server 192.168.0.251, query cisco.com, type TXT, attempt 1
[09/Oct/2023 22:38:50] {dns} [ 64430 ] Cannot query DNS server; no DNS server specified, 182.193.254.170.in-addr.arpa.

I then black holed "cisco.com" (I don't have any Cisco equipment) in my router's hosts file.

That gave me log entries like these:

[09/Oct/2023 22:39:12] {dns} question: TXT, cisco.com, id 54875
[09/Oct/2023 22:39:12] {dns} DnsResolver: DNS name cisco.com resolved from host file as 127.0.0.1
[09/Oct/2023 22:39:12] {dns} [ 936 ] Cannot query DNS server; no DNS server specified, 189.192.254.170.in-addr.arpa.
[09/Oct/2023 22:39:12] {dns} [UDP] query from 170.254.192.189:28419
[09/Oct/2023 22:39:12] {dns} question: TXT, cisco.com, id 2241
[09/Oct/2023 22:39:12] {dns} DnsResolver: DNS name cisco.com resolved from host file as 127.0.0.1
[09/Oct/2023 22:39:12] {dns} [ 937 ] Cannot query DNS server; no DNS server specified, 218.192.254.170.in-addr.arpa.
[09/Oct/2023 22:39:12] {dns} [UDP] query from 170.254.192.218:31878
[09/Oct/2023 22:39:12] {dns} question: TXT, cisco.com, id 20863
[09/Oct/2023 22:39:12] {dns} DnsResolver: DNS name cisco.com resolved from host file as 127.0.0.1
[09/Oct/2023 22:39:12] {dns} [ 938 ] Cannot query DNS server; no DNS server specified, 8.194.254.170.in-addr.arpa.

DNS requests abated for a short bit, but then I started getting requests for "globo.com". I blacklisted that domain in Pi-Hole.

I knew something was wrong. Without going into specifics about my setup, I checked all my routers' rules - firewall, NAT, port translations, etc.
I found an old rule at the bottom of a "Bypass" list that I rarely scrolled down to, that allowed DNS client traffic from the Internet into my LAN. The rule was years old! This may have been happening, off and on, for a long time and I never noticed.
I am truly an idiot.

By sheer happenstance, some host, apparently from Brazil, was flooding me with DNS requests at the same time I was closely monitoring my DNS traffic.

Long story, short - check your rules. You may find an October surprise.

1 Like

Oof, that MUST be it. I must have fucked up when setting up my rules and am forwarding outside DNS traffic to my server. Thanks for the tip!