Question A 3rd party domain name has crept into my network... ?

Currently reading
Question A 3rd party domain name has crept into my network... ?

4,027
1,378
NAS
DS4l8play, DS202j, DS3623xs+, DSM 7.3.3-25847
Last edited:
3 years ago I stayed at a Sonesta hotel and used their wi-fi system. I may even have set up an old wif-fi router using a wired ethernet port in my room...

Since then, I get weird traffic through my network... for example, today Adguard Home sees a "relic.sonesta.com" associated with one of my NAS. Interestingly, my Synology NAS's name is "relic." [OK, I edited the real NAS name, but my NAS's name is too unique to show up with *sonesta.com]. Here is the pattern...

Code:
15:15:09
relic.sonesta.com
A
Status: NXDOMAIN
192.168.1.1

Code:
15:15:09
relic.sonesta.com
AAAA
Status: NXDOMAIN
192.168.1.1

There are many "relic.sonesta.com" entries as well as a few "orlp.lp.cs.quickconnect.to.sonesta.com"... For example...

Code:
15:03:39
orlp.lp.cs.quickconnect.to.sonesta.com
AAAA
Status: NXDOMAIN
192.168.1.1

I have never been able to locate the "sonesta.com" entry in my network. I know there are some network savvy folks here... Hopefully you might guide this newbie to purge this "sonesta" irritation for my system.
 
Last edited:
Thinking I could just block "sonesta.com" under Adguard Home... I discovered soon after that my shared folder sync failed... as "relic.sonesta.com" was blocked. ["relic" is the destination NAS].

Unblocking "sonesta.com" restored the shared folder sync.

Puzzle this out...

This too is interesting... in the case of "relic.sonesta.com" logs, there are "relic" logs of the same timestamp... for example...

Code:
20:00:29
relic
AAAA
Status: NOERROR
192.168.2.1

20:00:29
relic
A
Status: NOERROR
192.168.2.1

20:00:29
relic.sonesta.com
A
Status: NXDOMAIN
192.168.2.1

20:00:29
relic.sonesta.com
AAAA
Status: NXDOMAIN
192.168.2.1
 
Can do an nslookup or dig that will provide zone server info for sonesta.com?

It could be a device or app is advertising locally, such as when devices have setup.device.com address to find the non-Internet LAN IP. Other than that a DNS service is resolving back to localhost?

WiFi profile added to your device? Brain dumping now.
 
Can do an nslookup or dig that will provide zone server info for sonesta.com?

It could be a device or app is advertising locally, such as when devices have setup.device.com address to find the non-Internet LAN IP. Other than that a DNS service is resolving back to localhost?

WiFi profile added to your device? Brain dumping now.
I wish I had the smarts to answer any of these questions. WiFi profile? Not exactly sure what this is, so I must not have one ???

Out of complete ignorance, I SSH'd into the primary NAS and entered "nslookup"
Then I entered "relic.sonesta.com", "sonesta", "sonesta.com"...
The response was:
Code:
> relic.sonesta.com
Server:         192.168.2.2
Address:        192.168.2.2#53

** server can't find relic.sonesta.com: NXDOMAIN

> sonesta
Server:         192.168.2.2
Address:        192.168.2.2#53
** server can't find sonesta: NXDOMAIN

> sonesta.com
Server:         192.168.2.2
Address:        192.168.2.2#53

Non-authoritative answer:
Name:   sonesta.com
Address: 104.16.86.34
Name:   sonesta.com
Address: 104.16.85.34

I don't know if that was remotely as you asked, but I'm willing to work through this as you have the time. I'm not sure where to start.
 
Profiles would generally get added in mobile devices for [ISP?] provider WiFi services.

Yeah, doing nslookup or dig will provide info on how the request is resolved to an IP. And for you it isn't. But has something running been configured to have a default domain name (like when you setup a DHCP server and say assume un-FQDN requests are for 'this' domain).

Could be that some thing has 'sonesta.com' set as the it's local domain name and so when the device requests 'relic' it slaps on '.sonesta.com' to make it FQDN. Sometimes referred to as a search domain.

When running a local DNS service the search domain is useful because I can ping nas instead of ping nas.mydomain.com
 
I won’t be able to sleep the minute I notice this until I figure it out!
Three years! You’re a very patient man :)

NXDOMAIN means non-existent domain

@fredbert suggestions are a good start.

Do you still have that old WiFi router running somewhere on the LAN?
Could be a persistent DNS cache. I really have no answer. But this is interesting, and spooky too 😱
 
Last edited:
Do you still have that old WiFi router running somewhere on the LAN?
Not presently, but at one time I may have run the router which I had taken to the hotel.

I went through all the adaptor settings on the PC's connected to this network. The only oddity I noticed was that a desktop PC (wired ethernet connection) had an inactive wifi adaptor whose IPv4 DNS was pointed to a non-existent LAN IP that may have been related to the wifi router I took to the Sonesta hotel. I edited that out then, reset the network on that PC (including /flushdns) using a multipurpose batch file. After rebooting that PC, and then restarting the NAS, my stats are still showing requests to "relic.sonesta.com"

I backed up my router settings hoping to find a hint of "sonesta" there, but the backup file is indecipherable code. I also scanned my laptop registry for "sonesta" with no result.

I'm wondering where this beast could hide.

At this point, I can only
 
Last edited:
Are you using any LDAP services?

What happens when you ping relic.sonesta.com
From the NAS that got disconnected when you blocked sonesta.com?
(should reply if it’s not blocked)

What happens when you ping relic.sonesta.com
From a host on the LAN (say a PC)?
(I’m hoping that you don’t get a reply)

In Linux I think you can use
cat /etc/resolv.conf
To find out what DNS services your DS is using.

Also check
cat /etc/host
See if anything is out of place in there.

Throwing things on the wall here.
 
No LDAP services that I'm aware of (none on NAS).

What happens when you ping relic.sonesta.com
From NAS
ping: relic.sonesta.com: Name or service not known

From PC
C:\WINDOWS\system32>ping relic.sonesta.com
Ping request could not find host relic
In Linux I think you can use
cat /etc/resolv.conf
To find out what DNS services your DS is using.
root@relic:~# cat /etc/resolv.conf
nameserver 192.168.2.2 <--- this is macvlan set up for Adguard.
nameserver 8.8.8.8
domain Sonesta.com <--- WHOA. Where is this coming from? I get this from both NAS.
 
I have no domain on my router,
ELBoSz3.png

so I'm unsure how this came into being, or how to eradicate it. Can I just edit resolv.conf (can I leave domain blank), or will it repopulate? I don't even have a domain (apart from DDNS).

I'm in a bit over my head... but y'all knew that.
 
Here’s what my resolv.conf looks like. Clean as a whistle.

3C9F7EF6-6B6B-4128-9916-4E0947C7E8AF.jpeg

If you can edit it. Yes. Linux :)
If it’s ok. I don’t know. It’s your network environment.
Maybe someone else can suggest something.

I would make sure I have a good backup. Copy resolv.conf to resolv.bakup and edit resolv.conf to point to your name server only and check.
But that’s me, proceed at your own risk :)

However, the million dollar question (well, not million) is how did that get there?
 
I found this interesting...

Code:
root@relic:~# cat /etc/resolv.conf
nameserver 192.168.2.2 
nameserver 8.8.8.8
domain Sonesta.com  

root@relic:~# cat /etc/resolv.conf.static
nameserver 192.168.2.2 
nameserver 8.8.8.8

root@relic:~# cat /etc/resolv.conf.option
domain Sonesta.com

Maybe I could simply rename "resolv.conf.option" and resolv.conf would clean up on its own... or simply copy "resolve.conf.static" to resolve.conf.

I haven't found any info on resolv.conf.option or resolv.conf.static...
 
Last edited:
I've done some testing...

I think 'resolv.conf.option' is generated by Control Panel's Network settings. Under General if you have enabled 'Manually configure DNS server' then what you enter here will be saved to the 'static' file.

I couldn't find where in DSM Control Panel there is a place to define a search domain so I changed it in my DHCP server on the RT2600ac. Now to see if that caused DSM to update the contents of 'resolv.conf.option'.

In Control Panel's Network settings go to the Network Interface tab and edit the LAN interface (or interfaces!). My manual values are the same as given by DHCP but I prefer having them manual. I changed from the manual option to DHCP option, save the change, and checking 'resolv.conf.option' I see that the domain instruction is now the same as the updated DHCP search domain. Changing the DHCP server's domain back and setting DSM LAN back to manual settings and it changes again.

So the inference is that DSM 'domain' value is picked up from whichever DHCP service it detects. I wonder if you just toggle your interface between manual/DHCP and back if this will flush out the domain instruction. Maybe using manual means that search domain never gets changed?

You might want to recreate the shared folder sync to see if that has some cached value?? It didn't work when you blocked sonesta.com which is odd unless the sync settings and this domain instruction are just a weird coincidence where one makes the other work but normally it shouldn't.


Where do I send the bill for consultancy :ROFLMAO:
 
Here's what seems to be working... (though I haven't restarted the NAS yet).

Toggling DHCP had no change for me. Maybe I misread... What I did was...

Code:
mv resolv.conf.option resolv.conf.option.save

Next, I unchecked "Manually configure DNS server" and "Sonesta.com" disappeared from resolv.conf. Kudos to @fredbert here.
Then I checked "Manually configure DNS server", and resolv.conf remained clean.

Then grepped /etc for "sonesta" and only "resolv.conf.option.save" came up.

Next a restart... and that worked for the NAS with manually assigned DNS. Now to reboot with DNS assigned by router...
 
Maybe resolv.conf.option only gets updated if there is a DHCP search domain with which to update it ... and when you happen to be toggling the LAN settings.

If none of your other LAN devices are getting assigned a search domain then it's a fair guess to assume that DSM is just caching the last once it saw that was provided by a DHCP server. Maybe it never looks again when it has manual LAN settings.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

OFC, account.synology.com is web portal target also, it is the daily target of outbound traffic from...
Replies
10
Views
1,931
  • Solved
That's a matter of taste really. If you are a creative, like me a musician, then there is no avoiding...
Replies
18
Views
3,088

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top