Omnia unexplained WAN HTTPS connections / leaks

blbeczech82 · November 8, 2017, 10:01pm

My Omnia WAN side is protected by another firewall (Untangle) to see and verify what is possibly leaking out from Omnia to WAN (Untangle WAN public IP1 - Omnia WAN public IP2 but in DMZ of Untangle).
I noticed periodical batches of HTTPS connections (and few SMTP) usualy once per day on sites I do not use. What is strange that most of them are .cz and related to banking. After few days investigating I could not find any device or source for those connections. Finaly I left my Omnia with no clients (even LXCs) connected. But still the same connections were leaking from Omnia to internet (table below truncated for last few days).
I’m sure there’s nothing additionaly installed to generate traffic like this except for Omnia defaults. I belive some system defaults are generating this traffic. Maybe CZ.NIC intention to check some TLS on popular services?
Anyway I don’t like that my super-router does something I don’t know about and what cannot be controlled.

Any hints from you guys or CZ.NIC?

Thank you…

time_stamp	s_server_addr	s_server_port	ssl_inspector_detail	ssl_inspector_status	application_control_detail

8.11.2017 9:03	74.125.206.108	25	smtp.gmail.com	INSPECTED	
8.11.2017 9:03	216.58.201.110	443	wallet.google.com	INSPECTED	
					
8.11.2017 3:47	160.218.11.32	443	e-ucet.o2.cz	INSPECTED	
8.11.2017 3:47	195.234.207.123	443	ibs.internetbanka.cz	INSPECTED	
8.11.2017 3:47	93.153.117.139	443	muj.t-mobile.cz	INSPECTED	
8.11.2017 3:47	95.100.178.217	443	itunes.apple.com	INSPECTED	
8.11.2017 3:47	77.75.78.48	25	smtp.seznam.cz	INSPECTED	
8.11.2017 3:47	193.245.72.151	443	muj.erasvet.cz	INSPECTED	
8.11.2017 3:47	31.13.84.36	443	facebook.com	INSPECTED	
8.11.2017 3:47	91.139.8.86	443	ib.creditas.cz	INSPECTED	
8.11.2017 3:45	162.25.64.10	443	cz.unicreditbanking.net	INSPECTED	
8.11.2017 3:45	216.58.201.101	443	mail.google.com	INSPECTED	
					
7.11.2017 21:56	185.189.33.61	443	ssl.aukro.cz	UNTRUSTED	*.aukro.cz
7.11.2017 21:56	212.67.66.170	443	klient3.rb.cz	INSPECTED	klient3.rb.cz
7.11.2017 21:56	193.245.72.229	443	ib24.csob.cz	INSPECTED	ib24.csob.cz
7.11.2017 21:56	77.75.76.150	443	email.seznam.cz	INSPECTED	*.email.seznam.cz
7.11.2017 21:56	193.58.72.141	443	3dsecure.gpwebpay.com	INSPECTED	
7.11.2017 21:56	193.245.72.157	443	paysec.erasvet.cz	INSPECTED	
7.11.2017 21:56	46.255.231.36	443	mail.centrum.cz	INSPECTED	
7.11.2017 21:56	194.228.112.60	443	klient2.rb.cz	INSPECTED	
7.11.2017 21:56	193.245.32.180	443	gateway.paysec.cz	INSPECTED	
7.11.2017 21:56	82.99.162.240	443	klient1.rb.cz	INSPECTED	
7.11.2017 21:56	35.159.8.35	443	account.gopay.com	INSPECTED	
7.11.2017 21:56	193.58.72.171	443	platba.mobitoplatito.cz	UNTRUSTED	
7.11.2017 21:56	185.33.156.7	443	ib.airbank.cz	INSPECTED	
7.11.2017 21:56	46.255.231.37	443	mail.volny.cz	INSPECTED	
7.11.2017 21:56	104.127.59.249	443	secure.payu.com	INSPECTED	
7.11.2017 21:55	64.4.250.32	443	paypal.com	INSPECTED	
					
6.11.2017 8:26	74.125.206.108	25	smtp.gmail.com	INSPECTED	
6.11.2017 8:26	216.58.201.110	443	wallet.google.com	INSPECTED	*.google.com
6.11.2017 3:30	162.25.64.10	443	cz.unicreditbanking.net	INSPECTED	
6.11.2017 3:30	172.217.23.229	443	mail.google.com	INSPECTED	
6.11.2017 3:25	160.218.11.32	443	e-ucet.o2.cz	INSPECTED	
6.11.2017 3:25	195.234.207.123	443	ibs.internetbanka.cz	INSPECTED	
6.11.2017 3:25	93.153.117.139	443	muj.t-mobile.cz	INSPECTED	
6.11.2017 3:25	95.100.178.217	443	itunes.apple.com	INSPECTED	
6.11.2017 3:25	77.75.78.48	25	smtp.seznam.cz	INSPECTED	
6.11.2017 3:25	193.245.72.151	443	muj.erasvet.cz	INSPECTED	
6.11.2017 3:25	185.60.216.35	443	facebook.com	INSPECTED	
6.11.2017 3:25	91.139.8.86	443	ib.creditas.cz	INSPECTED	www.creditas.cz
					
5.11.2017 21:45	193.245.32.180	443	gateway.paysec.cz	INSPECTED	gateway.paysec.cz
5.11.2017 21:45	82.99.162.240	443	klient1.rb.cz	INSPECTED	klient1.rb.cz
5.11.2017 21:45	35.159.8.35	443	account.gopay.com	INSPECTED	account.gopay.com
5.11.2017 21:45	193.58.72.171	443	Server SSL decrypt exception: handshake alert:  unrecognized_name	ABANDONED	platba.mobitoplatito.cz
5.11.2017 21:45	185.33.156.7	443	ib.airbank.cz	INSPECTED	ib.airbank.cz
5.11.2017 21:45	46.255.231.37	443	mail.volny.cz	INSPECTED	*.volny.cz
5.11.2017 21:45	104.127.59.249	443	secure.payu.com	INSPECTED	payu.com
5.11.2017 21:45	194.50.240.77	443	3dsecure.csas.cz	INSPECTED	3dsecure.csas.cz
5.11.2017 21:45	64.4.250.32	443	paypal.com	INSPECTED	paypal.com
5.11.2017 21:45	185.189.33.61	443	ssl.aukro.cz	UNTRUSTED	*.aukro.cz
5.11.2017 21:45	212.67.66.170	443	klient3.rb.cz	INSPECTED	klient3.rb.cz
5.11.2017 21:45	193.245.72.229	443	ib24.csob.cz	INSPECTED	ib24.csob.cz
5.11.2017 21:45	77.75.78.150	443	email.seznam.cz	INSPECTED	*.email.seznam.cz
5.11.2017 21:45	193.58.72.141	443	3dsecure.gpwebpay.com	INSPECTED	3dsecure.gpwebpay.com
5.11.2017 21:45	193.245.72.157	443	paysec.erasvet.cz	INSPECTED	muj.erasvet.cz
5.11.2017 21:45	46.255.231.36	443	mail.centrum.cz	INSPECTED	
5.11.2017 21:45	194.228.112.60	443	klient2.rb.cz	INSPECTED	klient2.rb.cz
					
4.11.2017 6:41	74.125.206.108	25	smtp.gmail.com	INSPECTED	
4.11.2017 6:41	216.58.201.110	443	wallet.google.com	INSPECTED	*.google.com
					
4.11.2017 2:20	95.100.178.217	443	itunes.apple.com	INSPECTED	
4.11.2017 2:20	77.75.76.48	25	smtp.seznam.cz	INSPECTED	
4.11.2017 2:20	193.245.72.151	443	muj.erasvet.cz	INSPECTED	
4.11.2017 2:20	31.13.84.36	443	facebook.com	INSPECTED	
4.11.2017 2:20	91.139.8.86	443	ib.creditas.cz	INSPECTED	
4.11.2017 2:18	162.25.64.10	443	cz.unicreditbanking.net	INSPECTED	
4.11.2017 2:18	216.58.201.101	443	mail.google.com	INSPECTED	
4.11.2017 2:14	160.218.11.32	443	e-ucet.o2.cz	INSPECTED	
4.11.2017 2:14	195.234.207.123	443	ibs.internetbanka.cz	INSPECTED	
4.11.2017 2:14	93.153.117.139	443	muj.t-mobile.cz	INSPECTED	
4.11.2017 2:14	217.77.163.160	443	onenetsamoobsluha.vodafone.cz	INSPECTED	
					
3.11.2017 21:21	185.189.33.61	443	ssl.aukro.cz	UNTRUSTED	
3.11.2017 21:21	212.67.66.170	443	klient3.rb.cz	INSPECTED	
3.11.2017 21:21	193.245.72.229	443	ib24.csob.cz	INSPECTED	
3.11.2017 21:21	77.75.78.150	443	email.seznam.cz	INSPECTED	
3.11.2017 21:21	193.58.72.141	443	3dsecure.gpwebpay.com	INSPECTED	
3.11.2017 21:21	193.245.72.157	443	paysec.erasvet.cz	INSPECTED	
3.11.2017 21:21	46.255.231.36	443	mail.centrum.cz	INSPECTED	
3.11.2017 21:21	194.228.112.60	443	klient2.rb.cz	INSPECTED	klient2.rb.cz
3.11.2017 21:21	193.245.32.180	443	gateway.paysec.cz	INSPECTED	gateway.paysec.cz
3.11.2017 21:21	82.99.162.240	443	klient1.rb.cz	INSPECTED	klient1.rb.cz
3.11.2017 21:21	35.159.8.35	443	account.gopay.com	INSPECTED	account.gopay.com
3.11.2017 21:21	193.58.72.171	443	platba.mobitoplatito.cz	UNTRUSTED	*.mobitoplatito.cz
3.11.2017 21:21	185.33.156.7	443	ib.airbank.cz	INSPECTED	ib.airbank.cz
3.11.2017 21:21	46.255.231.37	443	mail.volny.cz	INSPECTED	*.volny.cz
3.11.2017 21:21	104.127.59.249	443	secure.payu.com	INSPECTED	payu.com
3.11.2017 21:21	194.50.240.77	443	3dsecure.csas.cz	INSPECTED	3dsecure.csas.cz
3.11.2017 21:21	64.4.250.32	443	paypal.com	INSPECTED	paypal.com
					
2.11.2017 7:21	74.125.206.108	25	smtp.gmail.com	INSPECTED	
2.11.2017 7:21	216.58.201.110	443	wallet.google.com	INSPECTED	
					
2.11.2017 1:00	160.218.11.32	443	e-ucet.o2.cz	INSPECTED	
2.11.2017 1:00	195.234.205.123	443	ibs.internetbanka.cz	INSPECTED	
2.11.2017 1:00	93.153.117.139	443	muj.t-mobile.cz	INSPECTED	
2.11.2017 1:00	95.100.178.217	443	itunes.apple.com	INSPECTED	
2.11.2017 1:00	77.75.78.48	25	smtp.seznam.cz	INSPECTED	
2.11.2017 1:00	193.245.72.151	443	muj.erasvet.cz	INSPECTED	
2.11.2017 1:00	185.60.216.35	443	facebook.com	INSPECTED	
2.11.2017 1:00	91.139.8.86	443	ib.creditas.cz	INSPECTED	
2.11.2017 0:58	162.25.64.10	443	cz.unicreditbanking.net	INSPECTED	
2.11.2017 0:58	216.58.201.101	443	mail.google.com	INSPECTED	
					
1.11.2017 21:07	193.245.32.180	443	gateway.paysec.cz	INSPECTED	gateway.paysec.cz
1.11.2017 21:07	82.99.162.240	443	klient1.rb.cz	INSPECTED	klient1.rb.cz
1.11.2017 21:07	35.159.8.35	443	account.gopay.com	INSPECTED	account.gopay.com
1.11.2017 21:07	193.58.72.171	443	Server SSL decrypt exception: handshake alert:  unrecognized_name	ABANDONED	platba.mobitoplatito.cz
1.11.2017 21:07	185.33.156.7	443	ib.airbank.cz	INSPECTED	ib.airbank.cz
1.11.2017 21:07	46.255.231.37	443	mail.volny.cz	INSPECTED	*.volny.cz
1.11.2017 21:07	104.127.59.249	443	secure.payu.com	INSPECTED	payu.com
1.11.2017 21:07	64.4.250.32	443	paypal.com	INSPECTED	
1.11.2017 21:07	185.189.33.61	443	ssl.aukro.cz	UNTRUSTED	
1.11.2017 21:07	212.67.66.170	443	klient3.rb.cz	INSPECTED	
1.11.2017 21:07	193.245.72.229	443	ib24.csob.cz	INSPECTED	
1.11.2017 21:07	77.75.76.150	443	email.seznam.cz	INSPECTED	
1.11.2017 21:06	193.58.72.141	443	3dsecure.gpwebpay.com	INSPECTED	
1.11.2017 21:06	193.245.72.157	443	paysec.erasvet.cz	INSPECTED	
1.11.2017 21:06	46.255.231.36	443	mail.centrum.cz	INSPECTED	
1.11.2017 21:06	194.228.112.60	443	klient2.rb.cz	INSPECTED	
					
31.10.2017 5:28	74.125.206.108	25	smtp.gmail.com	INSPECTED	
31.10.2017 5:28	216.58.201.78	443	wallet.google.com	INSPECTED	
					
31.10.2017 1:35	216.58.214.197	443	mail.google.com	INSPECTED	
31.10.2017 1:30	160.218.11.32	443	e-ucet.o2.cz	INSPECTED	e-ucet.o2.cz
31.10.2017 1:30	195.234.205.123	443	ibs.internetbanka.cz	INSPECTED	ibs.internetbanka.cz
31.10.2017 1:30	93.153.117.139	443	muj.t-mobile.cz	INSPECTED	*.t-mobile.cz
31.10.2017 1:30	95.100.178.217	443	itunes.apple.com	INSPECTED	
31.10.2017 1:30	77.75.78.48	25	smtp.seznam.cz	INSPECTED	
31.10.2017 1:30	193.245.72.151	443	muj.erasvet.cz	INSPECTED	
31.10.2017 1:30	185.60.216.35	443	facebook.com	INSPECTED	
31.10.2017 1:30	91.139.8.86	443	ib.creditas.cz	INSPECTED	
31.10.2017 1:28	162.25.64.10	443	cz.unicreditbanking.net	INSPECTED	cz.unicreditbanking.net
					
30.10.2017 20:00	185.189.33.61	443	ssl.aukro.cz	UNTRUSTED	ssl.aukro.cz
30.10.2017 20:00	212.67.66.170	443	klient3.rb.cz	INSPECTED	
30.10.2017 20:00	193.245.72.229	443	ib24.csob.cz	INSPECTED	
30.10.2017 20:00	77.75.78.150	443	email.seznam.cz	INSPECTED	
30.10.2017 20:00	193.58.72.141	443	3dsecure.gpwebpay.com	INSPECTED	
30.10.2017 20:00	193.245.72.157	443	paysec.erasvet.cz	INSPECTED	
30.10.2017 20:00	46.255.231.36	443	mail.centrum.cz	INSPECTED	
30.10.2017 20:00	194.228.112.60	443	klient2.rb.cz	INSPECTED	
30.10.2017 20:00	193.245.32.180	443	gateway.paysec.cz	INSPECTED	
30.10.2017 20:00	82.99.162.240	443	klient1.rb.cz	INSPECTED	
30.10.2017 20:00	35.159.8.35	443	account.gopay.com	INSPECTED	
30.10.2017 20:00	193.58.72.171	443	Server SSL decrypt exception: handshake alert:  unrecognized_name	ABANDONED	platba.mobitoplatito.cz
30.10.2017 20:00	185.33.156.7	443	ib.airbank.cz	INSPECTED	
30.10.2017 20:00	46.255.231.37	443	mail.volny.cz	INSPECTED	
30.10.2017 20:00	104.127.59.249	443	secure.payu.com	INSPECTED	
30.10.2017 20:00	194.50.240.77	443	3dsecure.csas.cz	INSPECTED	
30.10.2017 20:00	64.4.250.32	443	paypal.com	INSPECTED

vcunat · November 9, 2017, 7:26am

I personally don’t think there are such intentions. (I can’t speak for the Turris project.) I grepped the filesystem of my Omnia for some fragments of these names and found nothing.

blbeczech82 · November 9, 2017, 9:12am

I did the same and found nothing too. That’s why I left it w/o any clients and containers running but still the same. What is strange is that most of connections is on .cz domain so if there is anything hidden running it should be most probably czech-made. That’s why I suspect CZ.NIC to have some kind of remote SSL probe running on router.
The only option to find out is to wipe the router completely and see if this traffic still continues. But if not then I’ll lost root cause investigation possibility.

miska · November 9, 2017, 11:05am

Did you signed up for data collection?

blbeczech82 · November 9, 2017, 12:11pm

Yes I did.
(20 characters…}

miska · November 9, 2017, 7:26pm

I don’t know for sure, but I think there are some active checks that are part of data collection that checks that nobody tries man in the middle on you and verify that some certificates matches what is expected.

blbeczech82 · November 9, 2017, 7:42pm

Thank you @miska, it seems reasonable now. Could you please investigate more details?
And what will happen if this MITM is detected? Because (as you probably noticed from my reports) it’s actually what I’m doing now…

miska · November 10, 2017, 7:00am

Well, from your first post it looks like you are monitoring traffic, not intercepting and faking certificates. I think if wrong certificates are found, it will get raised somewhere and somebody will look into it, but most of the time it’s captive portals and nothing malicious.

blbeczech82 · November 11, 2017, 9:21pm

It’s not important for the question but I’m generating certificates on the fly to inspect HTTPS traffic. So some apps abandon connections because they have certificates pinned/hardcoded and if it doesn’t receive what is expected then drop the connection (typically Google apps on Android). So yes, I’m doing MITM. To inspect HTTPS traffic is no other way than to intercept and fake certificate.

Anyway back to original question:
Did you find minute to discuss if there is really this MITM check by cz.nic you mentioned?
If so and cz.nic servers will find this MITM by probing Omnia - what is action done? Or what is reason for this check if there is no action?
Thank you…

blbeczech82 · November 13, 2017, 10:33pm

@miska please…?

L4rs · November 14, 2017, 7:47pm

can you post the conntrack logs, maybe i can compare them to mine.
Or instead of DNS names simply Ips, so i can grep for them.

I think these connections should be logged by conntrack.
Maybe we can figure out whats the reason for that.

Edit: i just checked 3-4 DNS names, cant’ find the related ips in my logs.

193.245.72.229 ib24.csob.cz
212.67.66.170 klient3.rb.cz
193.245.72.157 paysec.erasvet.cz

blbeczech82 · November 17, 2017, 9:59am

I don’t want to publish my conntrack log but:
dst IPs were logged by conntrack but src=WAN IP not LAN IP. So it must be caused by router.

If I generate DNS log by Foris diagnostics, there are some amazing records (truncated below).

Do you think the traffic shown in first post can be generated by resolver checking DNSSEC by probing some pre-defined SSL/SMTP addresses?

== resolution attempts ==
Attempting to resolve api.turris.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec api.turris.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13481
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;api.turris.cz.			IN	A

;; ANSWER SECTION:
api.turris.cz.		1608	IN	A	217.31.192.101
api.turris.cz.		1608	IN	RRSIG	A 13 3 1800 20171124183001 20171110170001 33732 turris.cz. Vp+YG4ZIZgeAk2UryqvDxwC+G5GjIrdLiQd++Bz22ZLZk66TjOstguMm oRyPrsk2DdWoxASItq9lbwdMxtQrbg==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:14 CET 2017
;; MSG SIZE  rcvd: 163

Attempting to resolve www.google.com

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40718
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		133	IN	A	216.58.201.100

;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:14 CET 2017
;; MSG SIZE  rcvd: 59

Attempting to resolve www.facebook.com

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55212
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.facebook.com.		IN	A

;; ANSWER SECTION:
www.facebook.com.	2084	IN	CNAME	star-mini.c10r.facebook.com.
star-mini.c10r.facebook.com. 37	IN	A	31.13.84.36

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:14 CET 2017
;; MSG SIZE  rcvd: 105

Attempting to resolve www.youtube.com

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16913
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	11899	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 27	IN	A	172.217.23.206
youtube-ui.l.google.com. 27	IN	A	172.217.23.238
youtube-ui.l.google.com. 27	IN	A	216.58.201.78

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:14 CET 2017
;; MSG SIZE  rcvd: 146

Attempting to resolve www.rhybar.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec www.rhybar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 739
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.rhybar.cz.			IN	A

;; Query time: 892 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:15 CET 2017
;; MSG SIZE  rcvd: 31

Attempting to resolve *.wilda.rhybar.0skar.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec *.wilda.rhybar.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32397
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;*.wilda.rhybar.0skar.cz.	IN	A

;; Query time: 125 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:15 CET 2017
;; MSG SIZE  rcvd: 41

Attempting to resolve *.wilda.nsec.0skar.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec *.wilda.nsec.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16223
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wilda.nsec.0skar.cz.		IN	A

;; ANSWER SECTION:
*.wilda.nsec.0skar.cz.	300	IN	A	85.239.227.179
*.wilda.nsec.0skar.cz.	300	IN	RRSIG	A 10 4 300 20800101000000 20140130121330 28887 nsec.0skar.cz. fJxvVUjFwkEqsDvCOrQHoyLwOQf4XKtmhMJCEZiCEy7MvxGx73uJPI1T lxFhM3PfZCsDUQukMEcGhQgKmnZbSkudE9ocSXELt9ponJHWdh0TIoFh BciCOA8UfO3K2gcYR+v0wyXlHGLHWXysPiULCk3ujDbFHTUBxQadN+9E f0TODRF/VtPrwJFisCDGPV9SofuOChI64Xys/Ycmn6fFKp09YTDDhroI IuedqT1CgKPi0WHFLLAqkSUBzRFPYu5769xrR/ukPHBBcj/SGJWdTkcW ybHSoR9rRr9JyQ2o+FrIf+nKtcY8rVQ8EUexq7CsdMcUo3ZGwgjuaR1v IUVVNw==

;; Query time: 1061 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:16 CET 2017
;; MSG SIZE  rcvd: 367

Attempting to resolve *.wild.nsec.0skar.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec *.wild.nsec.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36818
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wild.nsec.0skar.cz.		IN	A

;; ANSWER SECTION:
*.wild.nsec.0skar.cz.	300	IN	CNAME	flexi.oskarcz.net.
*.wild.nsec.0skar.cz.	300	IN	RRSIG	CNAME 10 4 300 20800101000000 20140130121330 28887 nsec.0skar.cz. OCgbO4C5z8FvuxZ+nb5ZGR8boZaWYLSWfEPxt1BKhFgMNKc/gugNMvIr 7L2kKTnw/gpqmBvCY3pBn5v5HbwZ280yOouHvUrHDWQV8rDEIil0E+QH Eqlz4sUxPlmRlIkdzMf31WYN/6qOfTWwdDA3FWrw+316BzVVnteR3o8W +pJy41SI4XQApVfeDM/4wbPVxNzQT+rchOEAIo0Q+3cqeI9BnbQtiZwd CthmTcIbcV8GnzYbI48XbUIr13upMjzE8ZI3mi/ZGI9qs2BUy88D1HRz sHKgRfSPjwGcJfAxvvTWqVu1u0JIvg/agfgGEAh/GNYmcfHg7F+iMFZx V2GmWg==
flexi.oskarcz.net.	2321	IN	A	85.239.227.179
flexi.oskarcz.net.	2321	IN	RRSIG	A 10 3 3600 20171211024403 20171111024403 39332 oskarcz.net. oSLZfYBeVPedKl1MtSyuwE78Ro19Z0epG3p3e7b9N+WfSCSnpGjCtad1 ETAcywEJ/Cs4NInNQpnWi8tXyQN1Kq73XdwirOcDbNiqzh4kWRV+J1Dt +WwP1rm3RmmaTiYWlYbRzmNqF9+fjU/ZuhkkDBfAxvXTvOvH4skgPbD6 pCI=

;; Query time: 90 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:17 CET 2017
;; MSG SIZE  rcvd: 602

Attempting to resolve *.wilda.0skar.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec *.wilda.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11483
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wilda.0skar.cz.		IN	A

;; ANSWER SECTION:
*.wilda.0skar.cz.	2321	IN	A	85.239.227.179
*.wilda.0skar.cz.	2321	IN	RRSIG	A 10 3 3600 20171211024404 20171111024404 16157 0skar.cz. ft3E3LgqqLja8pafQMr/cSt2rSpl0poEZgbpiJ3caKEN21Q7l8nO9aKB PAwFrCrSrhtRwWW0HuCGslF8rpyVom7RYApqMs6LJppOuL7qRFDvVIKO l7QFlpSHJyMmRhHDsrFMvBVAGCRowbNByem6qyDR9YHAosDiDqocKIiN rlo=

;; Query time: 90 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:17 CET 2017
;; MSG SIZE  rcvd: 229

Attempting to resolve *.wild.0skar.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec *.wild.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38720
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wild.0skar.cz.		IN	A

;; ANSWER SECTION:
*.wild.0skar.cz.	2321	IN	CNAME	flexi.oskarcz.net.
*.wild.0skar.cz.	2321	IN	RRSIG	CNAME 10 3 3600 20171211024404 20171111024404 16157 0skar.cz. IPVqG9HtcH8ce0VlwV2mAaCtWyjuqyPffoLImHuLNJUTCPSuuXkUmMAr QLbra6NkXLSiBy1rxh4QArZD8tqZZi0ud8wleGi7y7Sb/EBrUexcSM8B UQdmhskXnJD91vbGCk02rWX5m+K8121MvN6po/OuqlpvYgnWaqLx5R4e TTM=
flexi.oskarcz.net.	2321	IN	A	85.239.227.179
flexi.oskarcz.net.	2321	IN	RRSIG	A 10 3 3600 20171211024403 20171111024403 39332 oskarcz.net. oSLZfYBeVPedKl1MtSyuwE78Ro19Z0epG3p3e7b9N+WfSCSnpGjCtad1 ETAcywEJ/Cs4NInNQpnWi8tXyQN1Kq73XdwirOcDbNiqzh4kWRV+J1Dt +WwP1rm3RmmaTiYWlYbRzmNqF9+fjU/ZuhkkDBfAxvXTvOvH4skgPbD6 pCI=

;; Query time: 180 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:17 CET 2017
;; MSG SIZE  rcvd: 464

Attempting to resolve www.wilda.nsec.0skar.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec www.wilda.nsec.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33608
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.wilda.nsec.0skar.cz.	IN	A

;; ANSWER SECTION:
www.wilda.nsec.0skar.cz. 300	IN	CNAME	flexi.oskarcz.net.
www.wilda.nsec.0skar.cz. 300	IN	RRSIG	CNAME 10 5 300 20800101000000 20140130121330 28887 nsec.0skar.cz. VCwEXOf8qK1MZ52r6zGGKI4+JUEm8tF/xTYM7isp/W0a9S7O0Zntl7qN 7Eu0uy9TJ3lhTyGGjo4kI63TgZW6DaROepBMwRRHmsMNdR69+shBWumj q65grbAHkZh4D4BHmWz44iQOjc6l5zyl42zUHd8Oo3NEVm/gt5hRf/bP prtmNwVvoHrQJfDdEEa49s+ES5dKUE0m1t2JiYIOsCkC2WOdHHnDPj61 gKRi7+ktYmejl7srj98dvCCiNKI4Qb3FkTotaLxtFCs8n69/UO0e4m/b gXerIRrh8P4dJuy/p73Bsm1v4RdrnJ0CMdc+2kEKrD4fGy6QWAWl8MtA /vicnw==
flexi.oskarcz.net.	2321	IN	A	85.239.227.179
flexi.oskarcz.net.	2321	IN	RRSIG	A 10 3 3600 20171211024403 20171111024403 39332 oskarcz.net. oSLZfYBeVPedKl1MtSyuwE78Ro19Z0epG3p3e7b9N+WfSCSnpGjCtad1 ETAcywEJ/Cs4NInNQpnWi8tXyQN1Kq73XdwirOcDbNiqzh4kWRV+J1Dt +WwP1rm3RmmaTiYWlYbRzmNqF9+fjU/ZuhkkDBfAxvXTvOvH4skgPbD6 pCI=

;; Query time: 19 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:17 CET 2017
;; MSG SIZE  rcvd: 605

Attempting to resolve www.wilda.0skar.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec www.wilda.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55734
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.wilda.0skar.cz.		IN	A

;; ANSWER SECTION:
www.wilda.0skar.cz.	2321	IN	CNAME	flexi.oskarcz.net.
www.wilda.0skar.cz.	2321	IN	RRSIG	CNAME 10 4 3600 20171211024404 20171111024404 16157 0skar.cz. G4xqYS/ZjxP9VMXsrbPQKW+d1sBvv5DeXiejU7MuJjGWUrvIMXl1RL0G YLuyEorS8tvGqL9IyXqIyk7v5ye5z3xIlPiV+q5eHif4uNRIbrIt2UI2 /Tjrz8rV/E0wL17x+O3RPQ6XNM0QDAaMUQHlyk935KFZB5s4USvs0elv 6UM=
flexi.oskarcz.net.	2321	IN	A	85.239.227.179
flexi.oskarcz.net.	2321	IN	RRSIG	A 10 3 3600 20171211024403 20171111024403 39332 oskarcz.net. oSLZfYBeVPedKl1MtSyuwE78Ro19Z0epG3p3e7b9N+WfSCSnpGjCtad1 ETAcywEJ/Cs4NInNQpnWi8tXyQN1Kq73XdwirOcDbNiqzh4kWRV+J1Dt +WwP1rm3RmmaTiYWlYbRzmNqF9+fjU/ZuhkkDBfAxvXTvOvH4skgPbD6 pCI=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:17 CET 2017
;; MSG SIZE  rcvd: 467

Attempting to resolve *.wilda.rhybar.ecdsa.0skar.cz

; <<>> DiG 9.10.5-P3 <<>> @127.0.0.1 +dnssec *.wilda.rhybar.ecdsa.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17434
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;*.wilda.rhybar.ecdsa.0skar.cz.	IN	A

;; Query time: 271 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 10:48:17 CET 2017
;; MSG SIZE  rcvd: 47

vcunat · November 17, 2017, 10:17am

That seems really unlikely. Knot-resolver does no such thing by itself (I’m its upstream dev), and AFAIK similar Omnia scripts testing multiple names are only on-demand. The only “tricky” thing is the optional predictor module that may prefetch names but only those that were resolved before already.

blbeczech82 · November 17, 2017, 10:26am

So what do you think about this log?
Address like *.wilda.rhybar.0skar.cz is really unusual I think

Should I play with BIND resolver?

This guy https://ondřej.caletka.cz/ has something to do with Turris.
And I found him so let’s ping him: @Ondrej_Caletka

vcunat · November 17, 2017, 10:38am

That’s what the Foris DNS diagnostics tries to resolve – to check some more complex DNSSEC cases. I can’t see what you find so intriguing about that…

blbeczech82 · November 17, 2017, 10:42am

I didn’t know. So addresses in the DNS log I posted a while back is by Foris DNS check even I don’t launch it manually?

vcunat · November 17, 2017, 11:58am

When you generate DNS diagnostics, these queries are run – most likely to increase the probability of the log containing some useful information.

Ondrej_Caletka · November 20, 2017, 9:52am

Those domain names are part of this tester of DNSSEC validation of wildcard names when chaining resolvers.

I was unaware it has been used in Turris diagnostics, but I have no problem with that