So why is Netflix hitting me with Dradis?

ssullivan556

@tinfoilmatt said in So why is Netflix hitting me with Dradis?:

But since I pushed back on him a little bit, I now feel a little obligated to do the same to you—if only in the spirit of fairness:

Good, please convince me this is nothing to worry about. Dradis tho?

johnpoz

@ssullivan556 said in So why is Netflix hitting me with Dradis?:

Dradis tho?

maybe they are fans of battlestar glactica ;)

tinfoilmatt

@ssullivan556 said in So why is Netflix hitting me with Dradis?:

please convince me this is nothing to worry about.

Nobody's here to try to convince you of anything, buddy.

Gertjan

@ssullivan556

You showed an Ethernet packet, received from 8.8.8.8, as some device, your 10.0.0.34, has asked it a question : What is the A record (the IP) of :

There is no payload, the entire packet is shown.

Every single bit is defined - I looked them all up. Imho, Seems 100 % legit to me, and there no place for malicious scripts = series of bytes ;) This is a DNS packet : there are no 'spare' bits left !

The DNS question was "CNAME" pointing to a CNAME pointing to a CNAME" ... etc, snort might say :

yeah, true, there was a long answer (4 IPs !) but nothing seems out of order here.

Consider this :
What happens if a MacDondalds in Honk Kong serves one totally rotten hamburger to one client ?
Ok, that one client will be having a hard time. Food poisoning isn't a joke.
But there will be more then one victims : there will be thousands of victims : the MacDonalds share holders, as this one hamburger event will trigger our social networks doing there one and only thing : spreading the bad news. The MacDo stock market will plunge ... Share holder will suffer.
What I mean : Netflix won't try to do 'nasty' things with the one and only packet that is visible for the entire planet : a DNS packet.
I don't think Neflix prepares malicious DNS replies for you or some one else. Not because they want to protect you (they probably don't care about you, there are in it for your $ or €, that's all) but Netflix really (like REALLY !) wants to protect the share holders. So they won't start a low bud DNS spoof or whatever attack that everybody can find out in mere seconds, as this will a short path to a total company collapse, they have to much to lose.
After all, can your 'data' be worth more as entire (their) stock market value ?

If netflix want to take control of your TV, and why stop there, everything in your local network, they will code their app that 'lives' in your TV with nasty capabilities. The app will talk over TLS with 'home'. And from then on, Squid, snort etc won't detect anything.
Netflix uses SHTS, so their TLS traffic can not be MITM'ed.

To make the story short : we, "the small ones", are protected by the the big ones, as we all have this one powerful weapon : our $ (or €). Without it, they are gone.

Btw : not implying that my 'answer' (rambling ?) is the answer, just my thoughts.

ssullivan556

@Gertjan said in So why is Netflix hitting me with Dradis?:

@ssullivan556

You showed an Ethernet packet, received from 8.8.8.8, as some device, your 10.0.0.34, has asked it a question : What is the A record (the IP) of :

There is no payload, the entire packet is shown.

Every single bit is defined - I looked them all up. Imho, Seems 100 % legit to me, and there no place for malicious scripts = series of bytes ;) This is a DNS packet : there are no 'spare' bits left !

The DNS question was "CNAME" pointing to a CNAME pointing to a CNAME" ... etc, snort might say :

yeah, true, there was a long answer (4 IPs !) but nothing seems out of order here.

Thanks for digging into it! I would not expect malicious code in the DNS request either. My only concern about this packet was why any app on my TV would want to know the ip of any Dradis server. As Tinfolmatt mentioned, this may be their teams doing white hat activities. This is the best-case scenario in my mind, but there can also be bad actors within companies. I also understand that Netflix itself would not risk getting caught doing malicious things in the open, but here we are, my TV requested this dradis server. I guess I will be finding out how their customer support services are next week. If it is white hat activities, they should want to admit it since it is indeed all about protecting shareholders, and this is not a great look.

JonathanLee

We cancelled Netflix because of their outdated approach to IPv6 tunnel brokers. They treat anyone using an IPv6 tunnel—such as Hurricane Electric—as if they're using a VPN to bypass restrictions. Other major streaming platforms don’t have this issue, and their networking teams clearly have a better grasp of modern IPv6 deployments. If Netflix can’t keep up, we’re more than happy to spend our money elsewhere.

ssullivan556

@JonathanLee Just reiterating, the Netflix app was never even opened since the factory reset (unrelated, a few days before this packet), let alone logged into an account (I don't have one myself)

johnpoz

@ssullivan556 because they use that fqdn in their service domain name as CNAME that points to another fqdn, and so on. That you think because they have dradis in their domain name its doing something nefarious is beyond ridiculous

;; QUESTION SECTION:
;nrdp25.appboot.netflix.com. IN A

;; ANSWER SECTION:
nrdp25.appboot.netflix.com. 111 IN CNAME appboot.dradis.netflix.com.
appboot.dradis.netflix.com. 57 IN CNAME appboot.us-west-2.origin.prodaa.netflix.com.
appboot.us-west-2.origin.prodaa.netflix.com. 57 IN A 34.217.204.82
appboot.us-west-2.origin.prodaa.netflix.com. 57 IN A 44.234.6.167
appboot.us-west-2.origin.prodaa.netflix.com. 57 IN A 52.89.219.164

You are chasing ghosts here.

ssullivan556

@johnpoz Now this actually makes sense. Thank you. In other words, the TV asked "hey, what are the addresses for apps on Netflix" and 8.8.8.8 said "here are ALL the apps you can choose from" and we do not know from this what my device continued to use. I guess I need to spend some time with ntop if I really want to know.

Nowhere did I claim to know a lot about how IP works, was just looking for an explanation to learn more.

johnpoz

@ssullivan556 which is why we are here - glad we got it sorted.

It could be checking for updates to apps It could be checking for update for its own os, it could be checking that it can talk to Google..

Could be saying here I am a new instance - it could be doing all sorts of things - but what your DNS was just that is was looking for specific fqdn, and dradis just happened to be part of the fqdn they are using, in this case just as a cname to point it elsewhere.

As to why dradis in the in the fqdn - maybe who came up with was a fan of bsg, maybe it hits one of their servers using dradis to log traffic? But it sure wasn't scanning you are doing any sort of pen test - you show a query to 8.8.8.8 on normal DNS port 53.

JonathanLee

Keep in mind that most smart-TV platforms update their apps automatically, whether you use them or not. It’s similar to the Microsoft Store on Windows, which updates apps you never open.
I’ve also developed a personal bias against Netflix because of how aggressively they react to any IPv6 tunnel broker. After dealing with endless workarounds—forcing IPv4 DNS, custom DNS entries, and other bypass methods—I finally got fed up and switched to Apple TV for a while. Most of the other major streaming services don’t seem to care at all about Hurricane Electric IPv6 tunnels, but Netflix is extremely strict.
It’s also important to understand that many streaming apps use containerized instances that spin up temporarily for DRM and security, then self-delete when they’re done. Because of that, the platforms want everything locked down and up to date, even if you haven’t logged in. They want the application to be fully ready—and fully secure—for the moment you do decide to use it.