Samsung Smart TV (Tizen) DNS Queries on wrong server
-
Hi all,
I have created a new subnet to isolate various IOT devices from the LAN on my pfSense firewall. I have created a firewall rule on the new isolated interface to log all requests to LAN. I don't allow this traffic to happen but i want to know what devices are trying to do so. The problem is that I see a flood of UDP:53 blocked requests now in the firewall log and I don't understand why. When I look at the network settings on the TV, it shows the correct IP, Gateway and DNS (which is the same address as my pfSense isolated gateway). Nowhere I can see a configuration about the LAN interface gateway.
I have tried specifying the DND server manually in the TV settings, thinking that maybe the automatic setting didn't work but, still I see tons of request blocked. Btw, the TV internet connection and apps work fine.
Any idea?
Thank you,
Jonathan -
@jgauthier Its trying to talk to a dns server IP on your lan, or just some external dns IP like 1.1.1.1 or 8.8.8.8?
if it trying dns server IP on your lan - did it use to point to this dns server?
-
@johnpoz it tries to connect to the local dns server (pfsense). I don’t understand your last question, did it use what? Thanks
-
@jgauthier
does your new interface have a rule that permit tcp/udp to port 53 ?
can you post a screenshot of what you see on the log? -
@jgauthier said in Samsung Smart TV (Tizen) DNS Queries on wrong server:
it tries to connect to the local dns server (pfsense).
So you pointing to the IP you put on the new network/vlan you created right - and created a rule to allow that.. If your pointing it to your LAN IP, and blocking access to lan then yeah your going to have a bad day..
Here is example of locked down network, see how I allow access to this network "test" address for dns, etc.
the block rfc1918, really a reject since its my local networks. But this would prevent something asking for pfsense lan IP for dns.. But allows to pfsense IP on test network..
In my case lan is 192.168.9.253, and test is 192.168.200.253
-
until last year I had a Samsung Tizen television, but one day my dog (65 kg) bumped into it... I could still cry when I think about it
-
Additional Context:
My LAN interface is on 192.168.1.1.
My new interface subnet (INETONLY) is on 192.168.10.1. The TV is connected to this one. The TV gets a lease with a IP like 192.168.10.101.The problem: The TV apparently tries repeatedly to access DNS at 192.168.1.1 whereas I would expect it should be using 192.168.10.1.
does your new interface have a rule that permit tcp/udp to port 53 ? yes
Apparently, the first rule is a hit and i don't understand why.
-
@jgauthier your order is wrong to be honest.
You should allow dns before you block.. Order is top down, first rule to trigger wins no other rules are evaluated.
So trying to go to 192.168.1.1 on 53 would hit that first rule - which matches your lan subnets and would be blocked.
Putting your 2nd rule above that block would allow access to your 192.168.1.1 on 53.
But your 2nd issue is why would your tv still be asking 192.168.1.1 for dns? Normally dhcp would hand out its own address that 192.168.10.1, I would check maybe you have a reservation set for that TV mac, that is telling it to still try 1.1, or maybe your handing out both?
If it was me I would change your 2nd rule to be above your block and would also limit it to just your inetonly address. But yeah you also want to figure out why your device(s) would still be trying to access 1.1 if you have set it to use 10.1 for dns, or told it via dhcp to use 10.1 vs 1.1, etc.
-
Indeed, I have shared a version of my rules where I wanted to reproduce the problem. I had moved the "Allow DND Requests" first and it solved the flooding in the log but it doesn't change the fact the TV is trying to reach an address it should not.
I would check maybe you have a reservation set for that TV mac, that is telling it to still try 1.1, or maybe your handing out both?
I've followed this advice and I have an inactive reservation that was there probably prior to the creation of the new subnet. I just deleted it, and will test it.
If it was me I would change your 2nd rule to be above your block and would also limit it to just your inetonly address. But yeah you also want to figure out why your device(s) would still be trying to access 1.1 if you have set it to use 10.1 for dns, or told it via dhcp to use 10.1 vs 1.1, etc.
Thank you for the advice, I will do that once I have solved the problem.Will keep you posted, thanks!
-
@jgauthier that doesn't look like a reservation, a reservation for a device to always get the same IP should be showing NA for the lease time..
example
Is it possible your not truly isolated at layer 2 for your differnet networks?
That lease looks like it was recently obtained by the start and end dates..
-
@johnpoz I understand. I never created a static ip related to that.
i think my subnets are correctly isolated. At some point while I was testing my tv, it connected automatically to the former wi-if network, hence it got a lease for LAN. That must be the reason… Since, I made the tv forget this former network.
Btw, I still get blocks on 192.168.1.1 coming from the tv :(. When I look at the network parameters in the tv, it shows 192.168.10.1 as the DNS server. Strange…
-
@jgauthier yeah some of these devices suck for their network.. My thermostat I wanted to put it on another network.. And once it got an IP from dhcp it would never ask for another one... I had to fully reset it network settings vs just changing the ssid it connects too..
Can you reset its network - worse case scenario if it bugs you that much, but works anyway via doing queries to your 10.1 - you could prob do a full factory reset on it.. Or another option if it is actually working and you don't want the spam in the log, you could set a rule to block it and just not log traffic to 53 to the 1.1 from that tvs IP.
-
or a NAT for the port 53 to 10.1
that's what i use for iot stuff with 8.8.8.8 hard coded inside ....
