Roku DNS storm is impacting OPNsense

Started by OPNenthu, Today at 11:44:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 11:44:12 AM
I'm seeing this exact issue: https://github.com/FreshTomato-Project/freshtomato-arm/issues/268

My parents have a Roku box that just started flooding DNS to its telemetry endpoints which are blocked by DNSBL policy.  I'm seeing millions of requests in the reporting period (I think OPNsense keeps last 24 hrs).  The only issue is that it's causing log buildup which is overwhelming the system.  Memory use went from ~20% (baseline) to over 60%, mostly due to Unbound's logger (attached).  The Unbound reporting is taking half a minute to load.  Also seeing slowdowns in the live view and Firewall widget loading.

You cannot view this attachment.

What I did remotely was to force the WiFi client to reconnect via the UniFi console.  Unfortunately it immediately started spamming DNS again once it reconnected.  For the moment I've blocked the device from internet access.

The recommendation in the GH link is to redirect the telemetry endpoint to some blackhole IP instead of 0.0.0.0.  I think that could end up being a maintenance issue if the hostnames change, so I'm wondering if I can instead rate limit the DNS requests just from this device?  A quick forum search seems to indicate there's no way to do that, but I'm not sure.  Appreciate tips on how to best proceed (short of throwing the Roku in the trash).
N5105 | 8/250GB | 4xi226-V | Community
Today at 12:17:47 PM #1
Why not redirect the Roku to 127.0.0.1, letting it spam itself?
- Jim
Today at 12:34:08 PM #2 Last Edit: Today at 12:40:42 PM by OPNenthu
It was tried (4th comment in the ticket) and apparently only worked initially.

Worth a shot, though.

(EDIT): I think the problem is that I would have to set up an alias with the specific telemetry endpoints to use as the destination in the DNAT rule.  Roku apparently has many such endpoints.  I can't keep such a list manually updated and reliable.

For example, in my logs it's spamming "brewster.logs.roku.com" but in the logs in the linked ticket it's spamming "bayside.logs.roku.com".
N5105 | 8/250GB | 4xi226-V | Community
Today at 12:50:08 PM #3 Last Edit: Today at 12:54:26 PM by Monviech (Cedrik)
You might be able to use a firewall overload table combined with a block rule.

If your DNS rule matches and too many requests are sent then the client will be added to the defined overload table.

Then with a block rule before the dns allow rule, that client will then be blocked for some time.

But that would block all DNS traffic of that client. So kinda moot if it should still be allowed "something" and only telemetry should be blackholed.

If the telemetry endpoints are all under some certain wildcard domains you could also use a dnsmasq ipset alias to banish them to the shadow realm.
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset

Hardware:
DEC740
Today at 12:52:34 PM #4
In AdGuard Home you could do something like this:

Code Select
'rewrites':
  - 'domain': *.logs.roku.com
    'answer': 127.0.0.1

And in Unbound:

Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions