Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Samsung Smart TV (Tizen) DNS Queries on wrong server

    Scheduled Pinned Locked Moved DHCP and DNS
    13 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jgauthier
      last edited by

      Hi all,

      I have created a new subnet to isolate various IOT devices from the LAN on my pfSense firewall. I have created a firewall rule on the new isolated interface to log all requests to LAN. I don't allow this traffic to happen but i want to know what devices are trying to do so. The problem is that I see a flood of UDP:53 blocked requests now in the firewall log and I don't understand why. When I look at the network settings on the TV, it shows the correct IP, Gateway and DNS (which is the same address as my pfSense isolated gateway). Nowhere I can see a configuration about the LAN interface gateway.

      I have tried specifying the DND server manually in the TV settings, thinking that maybe the automatic setting didn't work but, still I see tons of request blocked. Btw, the TV internet connection and apps work fine.

      Any idea?

      Thank you,
      Jonathan

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @jgauthier
        last edited by johnpoz

        @jgauthier Its trying to talk to a dns server IP on your lan, or just some external dns IP like 1.1.1.1 or 8.8.8.8?

        if it trying dns server IP on your lan - did it use to point to this dns server?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        J 1 Reply Last reply Reply Quote 0
        • J
          jgauthier @johnpoz
          last edited by

          @johnpoz it tries to connect to the local dns server (pfsense). I don’t understand your last question, did it use what? Thanks

          kiokomanK johnpozJ 2 Replies Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8 @jgauthier
            last edited by

            @jgauthier
            does your new interface have a rule that permit tcp/udp to port 53 ?
            can you post a screenshot of what you see on the log?

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            J 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @jgauthier
              last edited by

              @jgauthier said in Samsung Smart TV (Tizen) DNS Queries on wrong server:

              it tries to connect to the local dns server (pfsense).

              So you pointing to the IP you put on the new network/vlan you created right - and created a rule to allow that.. If your pointing it to your LAN IP, and blocking access to lan then yeah your going to have a bad day..

              Here is example of locked down network, see how I allow access to this network "test" address for dns, etc.

              example.jpg

              the block rfc1918, really a reject since its my local networks. But this would prevent something asking for pfsense lan IP for dns.. But allows to pfsense IP on test network..

              In my case lan is 192.168.9.253, and test is 192.168.200.253

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              kiokomanK 1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8 @johnpoz
                last edited by

                until last year I had a Samsung Tizen television, but one day my dog ​​(65 kg) bumped into it... I could still cry when I think about it

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 0
                • J
                  jgauthier @kiokoman
                  last edited by jgauthier

                  @kiokoman @johnpoz

                  Additional Context:
                  My LAN interface is on 192.168.1.1.
                  My new interface subnet (INETONLY) is on 192.168.10.1. The TV is connected to this one. The TV gets a lease with a IP like 192.168.10.101.

                  The problem: The TV apparently tries repeatedly to access DNS at 192.168.1.1 whereas I would expect it should be using 192.168.10.1.

                  does your new interface have a rule that permit tcp/udp to port 53 ? yes
                  2e494710-3edf-4067-acfd-2d4f37d6af8e-image.png

                  Apparently, the first rule is a hit and i don't understand why.
                  2884d15e-d6fb-485a-9415-19695c99c450-image.png

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @jgauthier
                    last edited by johnpoz

                    @jgauthier your order is wrong to be honest.

                    problem.jpg

                    You should allow dns before you block.. Order is top down, first rule to trigger wins no other rules are evaluated.

                    So trying to go to 192.168.1.1 on 53 would hit that first rule - which matches your lan subnets and would be blocked.

                    Putting your 2nd rule above that block would allow access to your 192.168.1.1 on 53.

                    But your 2nd issue is why would your tv still be asking 192.168.1.1 for dns? Normally dhcp would hand out its own address that 192.168.10.1, I would check maybe you have a reservation set for that TV mac, that is telling it to still try 1.1, or maybe your handing out both?

                    If it was me I would change your 2nd rule to be above your block and would also limit it to just your inetonly address. But yeah you also want to figure out why your device(s) would still be trying to access 1.1 if you have set it to use 10.1 for dns, or told it via dhcp to use 10.1 vs 1.1, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    J 1 Reply Last reply Reply Quote 0
                    • J
                      jgauthier @johnpoz
                      last edited by

                      @johnpoz

                      Indeed, I have shared a version of my rules where I wanted to reproduce the problem. I had moved the "Allow DND Requests" first and it solved the flooding in the log but it doesn't change the fact the TV is trying to reach an address it should not.

                      I would check maybe you have a reservation set for that TV mac, that is telling it to still try 1.1, or maybe your handing out both?
                      I've followed this advice and I have an inactive reservation that was there probably prior to the creation of the new subnet. I just deleted it, and will test it.
                      89e9164e-bd05-40f6-8a91-93179cab7c63-image.png

                      If it was me I would change your 2nd rule to be above your block and would also limit it to just your inetonly address. But yeah you also want to figure out why your device(s) would still be trying to access 1.1 if you have set it to use 10.1 for dns, or told it via dhcp to use 10.1 vs 1.1, etc.
                      Thank you for the advice, I will do that once I have solved the problem.

                      Will keep you posted, thanks!

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @jgauthier
                        last edited by

                        @jgauthier that doesn't look like a reservation, a reservation for a device to always get the same IP should be showing NA for the lease time..

                        example

                        reservation.jpg

                        Is it possible your not truly isolated at layer 2 for your differnet networks?

                        That lease looks like it was recently obtained by the start and end dates..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        J 1 Reply Last reply Reply Quote 0
                        • J
                          jgauthier @johnpoz
                          last edited by

                          @johnpoz I understand. I never created a static ip related to that.

                          i think my subnets are correctly isolated. At some point while I was testing my tv, it connected automatically to the former wi-if network, hence it got a lease for LAN. That must be the reason… Since, I made the tv forget this former network.

                          Btw, I still get blocks on 192.168.1.1 coming from the tv :(. When I look at the network parameters in the tv, it shows 192.168.10.1 as the DNS server. Strange…

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @jgauthier
                            last edited by

                            @jgauthier yeah some of these devices suck for their network.. My thermostat I wanted to put it on another network.. And once it got an IP from dhcp it would never ask for another one... I had to fully reset it network settings vs just changing the ssid it connects too..

                            Can you reset its network - worse case scenario if it bugs you that much, but works anyway via doing queries to your 10.1 - you could prob do a full factory reset on it.. Or another option if it is actually working and you don't want the spam in the log, you could set a rule to block it and just not log traffic to 53 to the 1.1 from that tvs IP.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            kiokomanK 1 Reply Last reply Reply Quote 1
                            • kiokomanK
                              kiokoman LAYER 8 @johnpoz
                              last edited by

                              or a NAT for the port 53 to 10.1
                              that's what i use for iot stuff with 8.8.8.8 hard coded inside ....

                              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                              Please do not use chat/PM to ask for help
                              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.