Suspicious DNS queries with new Draytek Vigor 166 setup

[hushcoden]

@fastboot

1. can you confirm if the V166 has been configured in Modem/Bridge Mode or in Router Mode?

2. the V166 (like all the Draytek modem/routers) have Google DNS IP addresses hardcoded (I'm afraid), but in bridge mode it doesn't make any difference as the appliance is a 'dumb' modem, so they are not being used.

[fastboot]

I don't quite get the Vigor function but doesn't seem to matter.
This is how I do it: When you do your packet capture on OPN, select all interfaces in use, and set promiscuous mode. A file for each will be created. Then I use the WAN file first for the client IP. Then I go to the file of the interface with that network segment.
I read your first post again and I see you've done this BUT if the connection is visible on the WAN, it MUST have originated on the LAN or the system itself if it is a)hosting some application code that could be the culprit or b) it was compromised somehow.
In ALL cases, the packets captured will tell the origin, if you can't see it in your LAN captures, there's something not set correctly. VLANs by any chance ?

Hi Cookiemonster,
that was literally what I was saying. There must be an origin. But with the packet captures within my whole setup, I could not see anything to that destination ip, but the PPPoE interface. So my assumption is, that it comes from the modem itself.

"In ALL cases, the packets captured will tell the origin, if you can't see it in your LAN captures, there's something not set correctly. "
Indeed. That's why I've opened this Thread, as I cannot explain where it comes from. Because the origin within the dumps, and just on the firewall, is the firewall itself on interface PPPoE (WAN). Nowhere else.

[fastboot]

@fastboot

1. can you confirm if the V166 has been configured in Modem/Bridge Mode or in Router Mode?

2. the V166 (like all the Draytek modem/routers) have Google DNS IP addresses hardcoded (I'm afraid), but in bridge mode it doesn't make any difference as the appliance is a 'dumb' modem, so they are not being used.

1. can you confirm if the V166 has been configured in Modem/Bridge Mode or in Router Mode?
=> Yes, I do confirm

2. the V166 (like all the Draytek modem/routers) have Google DNS IP addresses hardcoded (I'm afraid), but in bridge mode it doesn't make any difference as the appliance is a 'dumb' modem, so they are not being used.
=> That's correct. But so far no queries to 8.8.8.8


But I did some changes here to test even more.

What I did

1. Remove all DNS Servers (IPv4+6) from System - Settings - General
2. Enable unbound DNS, configure several DNS Servers for IPv4+6 under DNS over TLS and hardened the settings.

Result so far: The DNS requests are silent. The IP I mentioned in the previous posts is not called again.
Also interesting is, that I even found way more DNS queries from the FW itself to random DNS Servers, which are nowhere configured.

So that the queries stopped now  due to the changes and that I found even more DNS queries in the logs to random servers, raises way more questions to myself. 

I will check to get a network tap next week, to put it between FW and Modem. Furthermore I've asked someone of our RedTeam to help me to reverse the firmware of the Draytek. When I started to use the Draytek, it was delivered with an older firmware. Due to a open CVE I updated and then the mess started. But let's see.

Still... If anyone could tell me which tool I can use on the shell to see which process calls an IP, I would be very gratefull. (like lsof on linux?) netstat does not work that well for this.

[Oak Oater]

Have you made any progress in your analysis?
I stumbled across this topic as I have a similar setup and behaviour.
I have a DrayTek Vigor 165 with firmware 4.1.1_STD set up in bridge mode.

In my FW logs I see many requests on the WAN interface to (unknown to me) IP's on port 53 (attached screenshot).
I wonder a) where these requests are coming from and b) what strange DNS (?) servers these are.