Possible botnet / weird DNS requests in my network

My ISP has contacted me regarding possible botnet attack in my network. There were about 2 millions suspect DNS requests sent from my router during a week. I have monitored the port 53 on the router with tcpdump -i br-lan dst port 53 command and found out that my iphone is the trouble device, it sends among other normal requests also requests like these ones:

09:34:21.428038 IP 192.168.1.102.62710 > 192.168.1.1.53: 197+ Type65? npcv150qvnuhehei69.gdg72zr63jjohmpo.com. (57)
09:34:21.429045 IP 192.168.1.102.65345 > 192.168.1.1.53: 18048+ A? npcv150qvnuhehei69.gdg72zr63jjohmpo.com. (57)
09:39:17.865231 IP 192.168.1.102.57671 > 192.168.1.1.53: 21401+ Type65? t3bglbz1s2x0.rl6bk79ui26urtsi4zy6.com. (55)
09:39:17.865545 IP 192.168.1.102.57618 > 192.168.1.1.53: 41064+ A? t3bglbz1s2x0.rl6bk79ui26urtsi4zy6.com. (55)
09:41:12.730171 IP 192.168.1.102.64781 > 192.168.1.1.53: 32842+ Type65? ypipz8fru28w.m2q1uert3s0vgglwo2w-.com. (55)
09:41:12.730755 IP 192.168.1.102.52081 > 192.168.1.1.53: 30999+ A? ypipz8fru28w.m2q1uert3s0vgglwo2w-.com. (55)
09:44:19.093059 IP 192.168.1.102.53116 > 192.168.1.1.53: 7742+ Type65? l45vvdl77nhhvasitv.2nyf-q4-0jaxl63tkxjrigi.com. (64)
09:44:19.093587 IP 192.168.1.102.56900 > 192.168.1.1.53: 26417+ A? l45vvdl77nhhvasitv.2nyf-q4-0jaxl63tkxjrigi.com. (64

I have searched this issue a bit and found out it is caused by the Citrix Anyconnect client installed on my company iphone (see details here: https://discussions.apple.com/thread/8494293). I have replaced the Turris Omnia router with some low cost Joyce router that I have during investigation and asked my ISP if there is any change. Their support replied that with this router the communication looks normal. It could be some coincidence, but maybe some Turris Omnia settings causes the trouble.

Has any of you observed this issue? Is there any solution to filter these messages and drop them either in iptables or knot resolver in Turris Omnia? In the above link there is regular expression (^[a-z0-9-]{8,27}.[a-z0-9-]{8,27}.com$) that fits to these requests mentioned, is it possible to use it in a dropping rule?

Thank you for your help.

It is possible to block, but such a pattern will match many legitimate names as well, so I wouldn’t generally advise that (as a longer-term “solution” at least). Also, such measures won’t fix your phone.


  1. a-z0-9- ↩︎