Confusion About Log Entry

dma_pf

I have a vlan set up at 192.168.168.1/24 with only 1 roku device at 192.168.168.2.

I have a server set up at 192.168.163.25 (vm1rds1) who's only role is serve 4 different programs to Remote Desktop Services users (Word, Excel, PDF reader, Goldmine CRM). None of those programs has anything to do with roku.

In pfblocker's reports tab I see a bunch of blocked entries showing that the server is attempting to access a roku.com server, like this:

I can't figure out why the server would be reaching out to roku.com. The time stamps do match up with the time I was watching things on the roku last night.

It almost seems as if the requests were routed from the roku hetwork and out the server. But I have 2 rules for the roku network that I thought would prevent any communication from the roku network to the LAN network where the server is located. These are the rules:

I'm confused about what is going on here and hope someone can help shed some light on this.

AndyRH

A roku is not worth $100, if you were not the product it would cost more. It is reporting your usage and keeping in touch with the mother ship. I see 1,000's per day.

dma_pf

@andyrh said in Confusion About Log Entry:

It is reporting your usage and keeping in touch with the mother ship. I see 1,000's per day.

I get that. The question is why do the logs say the packets are coming from a completely different network than where the roku is installed? I thought I had them completely isolated.

AndyRH

@dma_pf Missed the 163 and 168. That is odd. All of mine come from the roku devices.

johnpoz

@andyrh said in Confusion About Log Entry:

if you were not the product it would cost more

hehe - so freaking true!

Kind of inline with that.. Ran across this the other day, shows were the money is at ;)

https://www.theverge.com/2021/11/10/22773073/vizio-acr-advertising-inscape-data-privacy-q3-2021

"Vizio’s profit on ads, subscriptions, and data is double the money it makes selling TVs"

Devices like roku's and tvs with apps - love to phone home!! And blocking them only quite often just end up with them asking for some fqdn more and more and more.. Now logically if doing it from a tech point of view, if something I want to resolve doesn't resolve, you would think you would back off vs asking every freaking second. Ok ask a few times, ok not working, come back to it an hour, does it resolve now.. Ok check again in couple hours or tomorrow, etc. Not just keep banging away every freaking second trying to get an answer..

Kind of how dhcp works - it tries at 50% of its lease, hey can I get a renew.. No ok will try again in 50% of what have left, oh still no answer ok ask again.. This is a backoff/ramp up sort of solution to trying to get something done... But with these devices they just bang their heads against the wall every freaking few second.. That can not be good from a performance point of view.. Such devices that like to resolve stuff - should keep a cache as well. Hey the TTL on what you asked for is 1 hour.. Do you really have to ask for it via dns every 1 minute.. That record you got is still good for another 59 minutes.. Yeah I know you want to talk every minute - but do you really need to ask for something again when you were just given the answer ;)

nimrod

@AndyRH and @johnpoz nailed it.

dma_pf

@johnpoz said in Confusion About Log Entry:

https://www.theverge.com/2021/11/10/22773073/vizio-acr-advertising-inscape-data-privacy-q3-2021
"Vizio’s profit on ads, subscriptions, and data is double the money it makes selling TVs"

Pretty crazy article. Thanks for the insight. Certainly seems to be par for the course nowadays.

Do you have any insight you can share as to why the log packets are going to roku.com from my LAN (xxx.xxx.163.xxx) instead of from my roku vlan (xxx.xxx.168.xxx)? I thought I had them completely isolated but I must be missing something obvious.

johnpoz

what is that IP doing the query? You sure its not doing dns for your rokus?

dma_pf

@johnpoz said in Confusion About Log Entry:

You sure its not doing dns for your rokus?

Absolutely. I just noticed that the 192.168.168.1/24 dns servers are set up in dhcp as OpenDns (208.67.220.220, and 208.67.220.222). I must have done that originally. But I also have a NAT redirect set up to run all dns queries for the roku (192.168.168.2) through 192.168.163.1 which is my pfsense. (I did this later as I wanted to add some pfblocker rules to the dns queries):

As mentioned in my original post the pfblocker reports log shows the dns request coming from 192.168.163.25 which is a server set up only for Remote Desktop Services. Nothing points to it.

johnpoz

@dma_pf said in Confusion About Log Entry:

192.168.163.25 which is a server set up only for Remote Desktop Services.

So anything someone or something running on that device could be doing the queries.. Say in a remote desktop session.. Tracking what process is doing the queries could be difficult..

Something like https://www.glasswire.com/

Might be helpful.. I would for sure actually sniff on that device that its sending the specific queries your seeing, and this would also allow you to see if anything is asking that IP for this which is somehow being sent on..

I see queries for that scribe.roku.com on my network all the time - but they all come from my rokus - but there could be some sort of software that also does queries for that?? There is some sort of roku app that can run on windows 10 for example, not sure if just a remote - but something like that could be doing the queries.

dma_pf

@johnpoz said in Confusion About Log Entry:

So anything someone or something running on that device could be doing the queries.. Say in a remote desktop session..

Thanks for your feedback. I guess that might be technically possible but I think there would be a whole bunch of hoops that would have to be jumped through. First of all the server is part of a MS domain. So only an authenticated user that can provide proper login credentials could connect to it (of which there are only two) and then the only things that they could access are the remote apps installed in Remote Desktop Services. And those connections can only happen from a LAN address, nothing is open to the WAN or other internal vlans. Secondly, the server has Microsoft Server 2012 as it's operating system and does not have the dns role installed on it so I don't think it could respond to a dns request from another machine. And thirdly, if that server itself did have a dns request via it's own ethernet adapter it would be routed first to the domain controller at 192.168.163.10 which would then forward to pfsense at 192.168.163.1. In that case I would expect to see the domain controller's ip address (192.168.163.10) as the source of the query. It really seems more likely to me that I must have missed something in my pfsense setup.

@johnpoz said in Confusion About Log Entry:

Might be helpful.. I would for sure actually sniff on that device that its sending the specific queries your seeing, and this would also allow you to see if anything is asking that IP for this which is somehow being sent on..

I'll run a sniff and post back my findings. would you run it with the Host address as that of the server (192.168.163.25) or scribe.logs.roku.com?

@johnpoz said in Confusion About Log Entry:

I see queries for that scribe.roku.com on my network all the time - but they all come from my rokus - but there could be some sort of software that also does queries for that?? There is some sort of roku app that can run on windows 10 for example, not sure if just a remote - but something like that could be doing the queries.

The weird part is that I have no blocked queries whatsoever in pfblocker reports on the roku vlan (192.168.168.xxx) for scribe.logs.roku.com. All dns requests on my system for scribe.logs.roku.com are showing as coming from the server. Resolver is listening for queries on All networks, so I would think if the roku was sending them out they would be blocked too. There is a roku app installed on a tablet but that is on a completely different vlan (192.168.160.1/24) than what we have discussed and which is also isolated from the LAN and the roku vlan. I would find it hard to believe that the server has a rogue app on it as the only things installed on it is Word, Excel, a pdf reader and a CRM. It's running a pretty stripped down Microsoft Server 2012 and not a bloated OS like Windows 10 Home.

Thanks again for your help! I'll work on sniffing around tomorrow and will let you know what I find.