Android client | Appending local domain to DNS Queries
-
Hello,
I recently purchased an android device which provides a digital calendar and clock.After successfully connecting to WIFI I noticed the device would not update its location nor connect to any external services. I kept getting an error that it was unable to connect to the manufacture's server.
I performed a wireshark packet capture and I noticed the following:
Its performing DNS lookups with attaching the local domain to the end. I use the local domain for remote administration of my PFSENSE/SSL etc.
nslookup on pfsense:
/root: nslookup googleapis.com
Server: 127.0.0.1
Address: 127.0.0.1#53Non-authoritative answer:
Name: googleapis.com
Address: 142.251.33.4
Name: googleapis.com
Address: 2607:f8b0:4023:1006::93
Name: googleapis.com
Address: 2607:f8b0:4023:1006::63
Name: googleapis.com
Address: 2607:f8b0:4023:1006::68
Name: googleapis.com
Address: 2607:f8b0:4023:1006::69From local laptop:
nslookup googleapis.com
Server: 192.168.53.11
Address: 192.168.53.11#53Non-authoritative answer:
Name: googleapis.com
Address: 172.217.2.196I am running
22.05-RELEASE (amd64)
FreeBSD 12.3-STABLEName Version
acme 0.7.3
Avahi 2.2_1
Cron 0.3.8_1
darkstat 3.1.3_5
haproxy-devel 0.62_10
openvpn-client-export 1.6_8
pfBlockerNG-devel 3.1.0_7
snort 4.1.6
Status_Traffic_Totals 2.3.2_2No other clients are experiencing this issue.
The digital calendar/clock is running Android 6.0.1 with Kernel 3.10.65.
I can access some of the settings but I cannot for example assign a static IP or modify any of the other network settings.
-
@posix pretty much any os does this, this is suffix search.. Why you can not get there is there is no answer.
Look at your sniff where is the answer to your queries. 192.168.30.1 is sending back a reject, that icmp port unreachable..
example - here is my windows machine.. see it asks for www.googleapis.com with .local.lan added at first because this is my local search domain.
$ nslookup Default Server: pi.hole Address: 192.168.3.10 > set debug > www.googleapis.com Server: pi.hole Address: 192.168.3.10 ------------ Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: www.googleapis.com.local.lan, type = A, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 3, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: www.googleapis.com.local.lan, type = AAAA, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 4, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 16, authority records = 0, additional = 0 QUESTIONS: www.googleapis.com, type = A, class = IN ANSWERS: -> www.googleapis.com internet address = 172.217.4.202 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.191.106 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.191.138 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.191.170 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.191.202 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.191.234 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.190.10 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.190.42 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.190.74 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.190.106 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.250.190.138 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 142.251.32.10 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 172.217.0.170 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 172.217.1.106 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 172.217.4.42 ttl = 3026 (50 mins 26 secs) -> www.googleapis.com internet address = 172.217.4.74 ttl = 3026 (50 mins 26 secs) ------------ Non-authoritative answer: ------------ Got answer: HEADER: opcode = QUERY, id = 5, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 4, authority records = 0, additional = 0 QUESTIONS: www.googleapis.com, type = AAAA, class = IN ANSWERS: -> www.googleapis.com AAAA IPv6 address = 2607:f8b0:4009:804::200a ttl = 30 (30 secs) -> www.googleapis.com AAAA IPv6 address = 2607:f8b0:4009:803::200a ttl = 30 (30 secs) -> www.googleapis.com AAAA IPv6 address = 2607:f8b0:4009:801::200a ttl = 30 (30 secs) -> www.googleapis.com AAAA IPv6 address = 2607:f8b0:4009:802::200a ttl = 30 (30 secs) ------------ Name: www.googleapis.com Addresses: 2607:f8b0:4009:804::200a 2607:f8b0:4009:803::200a 2607:f8b0:4009:801::200a 2607:f8b0:4009:802::200a 172.217.4.202 142.250.191.106 142.250.191.138 142.250.191.170 142.250.191.202 142.250.191.234 142.250.190.10 142.250.190.42 142.250.190.74 142.250.190.106 142.250.190.138 142.251.32.10 172.217.0.170 172.217.1.106 172.217.4.42 172.217.4.74 >ipconfig /all - notice the dns suffix search list
$ ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : i9-win Primary Dns Suffix . . . . . . . : local.lan Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : local.lan Ethernet adapter Local: Connection-specific DNS Suffix . : local.lan Description . . . . . . . . . . . : Killer E2600 Gigabit Ethernet Controller Physical Address. . . . . . . . . : B0-4F-13-0B-FD-16 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, November 20, 2022 4:41:11 AM Lease Expires . . . . . . . . . . : Friday, December 2, 2022 4:41:05 AM Default Gateway . . . . . . . . . : 192.168.9.253 DHCP Server . . . . . . . . . . . : 192.168.9.253 DNS Servers . . . . . . . . . . . : 192.168.3.10 NetBIOS over Tcpip. . . . . . . . : EnabledYour problem is not that - your problem is your blocking dns queries..
Your laptop is asking a different IP
Server: 192.168.53.11
Address: 192.168.53.11#53Your sniff is asking 192.168.30.1 and he responds with sorry buddy your not getting there.. What rules do you have on this 30.1 interface in pfsense?
edit:
see I created a reject rule for 8.8.8.8 on my lan, then dig a dns query - and pfsense sends back hey your not getting there icmp response.$ dig @8.8.8.8 www.google.com ; <<>> DiG 9.16.34 <<>> @8.8.8.8 www.google.com ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached
-
You are right, this android device joined the IOT SSID. On pfsense I have majority of IOT devices static DHCP binding with DNS assigned. But for dynamic DHCP pool I did not specify DNS server. So it was using .30.1 (pfsense gateway) as DNS and I have DNS redirect configured for external DNS servers not pfsense itself. This is resolved.
Thank you very much for pointing out the issue.
