Turris Omnia supports data criminals?!

Looking into logs and reports I found Turris Omnia is supporting data criminals to track ME.

If I’m right Turrus Omnia reveals to some of the worlds worst data criminals my IP address and uses my IP to contact them whenever it boots up.

This means these data criminals know my IP before I contact the first server, before I see the first webpage, they can track me down from the very first moment on, every day!
Shame on you developers who reveal my personal data to criminal foreign companies.

This needs to end!!

The illegal data theft of facebook and google is among the worst worldwide. They contradict directly the law in my country.

Where do I find the names?

In MY Turris Onmia!

quote from Foris Diagnostics report:

== resolution attempts ==
Attempting to resolve www.google.com

; <<>> DiG 9.11.14 <<>> @127.0.0.1 +dnssec www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56598
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

Attempting to resolve www.facebook.com

; <<>> DiG 9.11.14 <<>> @127.0.0.1 +dnssec www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49116

Attempting to resolve www.youtube.com

; <<>> DiG 9.11.14 <<>> @127.0.0.1 +dnssec www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59339

I need to stop the betrayal!

Question:
How can I avoid Turris contacting these URLs?
Where is the config file to change IMMEDIATELY to stop connecting to scum like “facebook” ?

Please help!

Do you understand what the diagnostic script does and what is supposed to test?


  • do not run the diagnostic script or any other application, incl. downstream clients of the TO that may connect to those hosts you are concerned about.
  • use a DNS sinkhole to prevent resolution for those hosts
  • use a firewall rule to prevent connectivity with those hosts

Are you running the diagnostic script every day?


That sounds like a ripe case for litigation in that country then.

3 Likes

Thanks for the swift reply! Appreciate it!

The diagnostic script is a wonderful status report!

Indirectly you seem to state this situation of contacting Facebook, google and the like only happens if the diagnostic script is started?
If this assumption is right it would be OK for me.

Can you confirm contacting Facebook, google and the like by Turris is limited to actively running the diagnostic script?

You are right: Long time ago I started blocking some of these addresses, host based.
Right, I should do more to block and trap these URLs.

You are right, there are many substantial attempts to limit and litigate these companies in their criminal theft of personal and private data.

Turris Omnia promises to support privacy and security by frequent updates, support of DNSSEC etc.
This was important for me when I purchased two of these boxes (and to recommend them whenever possible). The more it is important Turris Omnia does not betray privacy by hidden connect to Facebook, Google and the like!

That is just derived from your statement


Afraid, that I cannot but unless you have any other sort of evidence than the mentioned diagnostic report I could only assume that the connectivity to those hosts initiated from the router itself is limited to the diagnostic script. There is also the check_connection script (also some diagnostic), which has to be manually invoked from cli or Foris, that connects for instance to 8.8.8.8.


For the purpose, checking upstream connectivity, the diagnostic script has to connect to some upstream WAN hosts and those hosts mentioned probably provide a reliable sounding board (redundancy, bandwidth, distribution, etc). Perhaps there are others hosts though that would cause less concern, though big data = big business…


Just remember that prior running the diagnostic script or else the test results may exhibit a wrong picture for anyone trying to assist with an issue.

Just to add - you reported dig commands querying the local resolver instance (@127.0.0.1) for a name <-> ip resolution of the mentioned hosts. The dig process itself does not constitute actual connectivity between the TO and the resolved hosts and neither the forwarded query from the local resolver instance to the upstream resolver.

2 Likes

Exactly, thanks for pointing that.

Just FYI: this “privacy violation code that reveals your IP to criminals” can be found in our gitlab, so you can check what it exactly does :wink:

3 Likes

As mentioned above. Resolving DNS domain is not a connecting to a domain. So this is baseless.

1 Like

At least in some cases that will give them your IP anyway.

BTW:
Maybe it will look better (political correct) to use other hosts for this diagnostics? :wink:
www.fsf.org
www.wikipedia.org
www.nic.cz
www.turris.cz
www.open …

Turris = Open Hardware + Open Source + Security + Privacy and … suddenly google and facebook pop up. It looks bad!

3 Likes

The problem is that we diagnose problem with Internet connection and for most users Google is the Internet unfortunately. That is why we check it. It is nice that router can access our website but users are going to report accessible internet when Google doesn’t work (they google nic.cz rather to open nic.cz commonly). Resolving other domains is possible but it won’t tell us anything about google unfortunately.

No.
Google is not the Internet.
Google is a data criminal and the cancer on the internet.

Responsibility means to support what grants freedom and self-determination.
That is why I buy a Turris Omnia for decent money instead of a crap box.
That is why I do not want data criminals like Google, Amazon, Microsoft to share my personal data.
million flies can not be wrong - eat shit.
I do not subscribe to be a fly.

Freedom matters.
The few people on earth who enjoy a life in freedom and democracy are responsible to support freedom and democracy for all of us.

Thats why I worry.

2 Likes

Don’t over react. We just resolve google.com something Android and most other devices do. It most likely won’t even reach Google (depends on configuration). At the same time replacing that address just for sake of holy war when reality is that we need to see relevant results of resolving for google just creates burden on our support. Just do not run DNS diagnostics and all will be fine (but don’t expect support for DNS problems).

1 Like

You betrayed the ideas of freedom for your own convenience.
You offend many of your project’s users.
You may have saddened many of your loyal users with these words :frowning:

Those who equate internet = google buy D-link routers at the supermarket (or even worse Chinese shit).

D-link, TP-link, Linksys etc = google, gmail and fb
Draytek, AVM, Turris and others xxxWRT = duckduckgo, startpage, protonmail, etc
Later for professionals there are pfSense, IPFire etc.

Your routers (which are not the cheapest) are being bought by people who are aware of what they are buying! They have more or less knowledge, but they consciously use JUST your equipment!
Remember your Indiegogo campaign …

There are many web hosts on the internet that are stable and you can test them with your diagnostic tool instead of the two biggest spies.

Edit:
I will say one more thing and probably on behalf of many users of your equipment:
In addition to great hardware and software, your team has one more great achievement: Our TRUST and therefore we consciously and with pleasure turn on Sentinel telemetry.
Don’t let us down…

1 Like

Words that are too strong. You think OpenWRT and Team CZ. NIC are some amateurs? Try about the activities of CZ.NIC associationto find out something … https://www.nic.cz/page/2049/projekty-pro-odbornou-verejnost/.

And I thing, every problem has its own gradual development of solutions.

:slight_smile: I personally think that internet security exists especially if you disconnect from it :slight_smile:

What???
Where did I write that they are amateurs?
I have GREAT respect for NIC.cz (they are one of the best professionals in the world - Reportedly even CloudFlare uses their Knot-resolver (kresd) in its DNS 1.1.1.1 service) and for the Turris team and OpenWRT as well …

Maybe a valid point of view would be - would checking against google/facebook work e.g. in China behind the great firewall? But if you started going down this way, it would possibly happen that there just isn’t any world-wide reliable service that is allowed from all countries.

Clear and worldwide service that is completely free. Who would want to pay it monthly? :wink:

In the diagnostics, there is a DNS test which contains several addresses which can be checked here among other things, there could be sensitive data and diagnostics should not be published publicly anywhere and they are helping us to know what could be a culprit with the issue, which you are having. Before sending it to us, you can check what’s there and reduct some details, which you don’t want to share. Diagnostics are in Foris and reForis. BIND’s dig tool just performs A and AAAA query for the domain, if it is possible to resolve it.

As it was said by @anon50890781 and by two of my colleagues (@vojtech.myslivec and @cynerd), you could check what exactly diagnostics does and we are aware that some of you consider it us issue about your privacy, we understand that and even though there are many US-based websites which do not support DNSSEC and we need to be sure that the website has acceptable uptime. It works all the time because we need to rely on it. Anyway, we have several candidates to replace it with!

I would like to say that we appreciate the feedback, but someone could view it as flame(war) does not help you either to us. In the past, we were aware that many ISP in the Czech Republic didn’t implement DNSSEC. What could be helpful for both sides next time is if we together say that what about replacing google.com with a different website and being concrete which on website would you prefer there.

Thank you for helping us making Turris routers better.

For example duckduckgo.com.

1 Like

Unfortunately, it does not support DNSSEC, but it is one of our candidates which could be there.

1 Like