Open lfkrebs opened 3 months ago
@lfkrebs thanks for your detailed report. I will be looking into this more.
Can't you connect to your router directly using the IP?
The reason for blocking is however different than you guessed. We detected some strange behaviour to to this fritz[.]box domain namely DNS requests with following indicators:
should you have any information about that I would been kindly informed.
@ph00lt0 Thanks so much for getting back to me so quickly!
How odd! No, I haven't seen any such activity, also not in my PiHole log. Is there a regional pattern to the requests you are seeing?
Oddly enough, I cannot even reach my router via the regular IP address as long as the rule is in effect in Little Snitch. I suspect that as soon as the rule is in effect, it may prevent other functions like getting a DHCP lease — but I'm way too ignorant of the exact workings of the network processes to make an informed guess. All I can say is that with the rule in effect, the Mac is entirely cut off, and the problem disappears as soon as I override or remove the rule. Sorry for not being much help…
In any case: I can fix this for myself and I don't see any other activity here. Maybe this can be closed if nobody else shows up?
Thanks again for your work! It's appreciated!
DW about closing it. I will reach out to the vendor and some others to ask for clarification. Until we know more I am happy to keep the issue open.
We only have Intel from a few EU countries as of now and global stuff. This is a recent thing I am doing. I don't want to disclose the methods of obtaining these trackers for I guess obvious reasons.
The domain is now owned by AVM itself and it will tell you that something is wrong with your dns when you tried to reach your local router. IP Adress will work too
FYI I am waiting on reply from the vendor, initial contact was established.
The problem with this behavior caused by their devices is that it could help deanoymizing users. Fritz devices do seem to trigger connected clients into making these these DNS requests. Fritzbox devices themselves do not forward them but if you have other DNS servers configured on other devices they do get requested.
@lfkrebs @yoshimo
FYI, the vendor has not replied to me since end of last month so i have send a follow up today. I also have replicated the issue how that I got my hands on one of these routers I bought second hand to test what is really going on here.
The issue is caused by the DHCP server of these routers forcing the domain fritz.box for lookups. As far as I can see there is no way to disable this in the router settings. This makes the domain takeover that happend even more insane. The fact that AVM does this this way is troublesome/worrying imho. It also creates the issue that you cannot change/overwrite the dns lookup settings of this router, creating some interesting dns leaks. Besides the issue generally that these lookups that are forwarded outside the router leak information about the usage of people connected to these routers.
If you use little snitch (or a VPN) there is however a solution at least for MacOS. You can force the DNS to go via them. Like such:
Tool used (pick one):
(I'm also using PiHole and uBlock, but the affected channel here is Little Snitch)
What service are you trying to use?' fritz.box (ports 53 for DNS and 80 for the admin interface)
What does not work? As far as I can see, fritz.box was added to the block list today. Because this domain is name is used by AVM-manufactured routers called Fritz!Box as the domain for the admin interface and all other services used by the router (like DNS), this rule essentially makes it impossible for a computer to reach the internet or their own router.
Which rule you believe is causing this? On line 10376 of today's version:
||fritz.box^
Background: rule probably not needed anymore The rule is likely a response to AVM failing to register the domain fritz.box when .box became an active TLD earlier this year. A private person claimed the domain and used it to send people to a variety of (not particularly nefarious?) sites. This would primarily affect people with a Fritz!Box at home who were trying to dial into their admin interface without realizing that they are on some other network — but could have easily been used to phish for admin passwords. In the meantime, AVM has gone to court and has won the rights to the domain so it is no longer serving any dangerous content.
Thank you! Thank you so much for providing this service!