Fritz!Box security warning

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Fritz!Box security warning

freitasm

BDFL - Memuneh
80693 posts

Uber Geek
+1 received by user: 41138

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#312493 22-Apr-2024 09:32

Fritz!Box routers create a sub-domain on fritz.box to make browsing local devices in your network easier.

Assume your NAS hostname is "nas". An address is added from the DHCP requests so your NAS can be accessible by using a domain name such as nas.fritz.box instead of an IP address.

This is a feature of the Fritz!Box DNS server. This server will always return a private IP address.

The .box TLD is now available and someone registered fritz.box.

While this will not impact people using the default Fritz!Box DNS, it will be resolved if they use an external DNS such as 1.1.1.1, 8.8.8.8, AdGuard or even one run inside their network, like AdGuard or PiHole.

If you use an external DNS, your lookup for nas.fritz.box will return an external IP address controlled by unknown parties.

Again, this does not affect the Fritz!Box in its default configuration, only if you use a different DNS setting.

For example:

c:\> nslookup nas.fritz.box 8.8.8.8

Server: dns.google
Address: 8.8.8.8
Name: nas.fritz.box
Addresses: 2001:19f0:6c00:1b0e:5400:4ff:fecd:7828 45.76.93.104

I have replaced my Fritz!Box a few years ago, but I have one Windows laptop that still adds ".fritz.box" to some lookups, even long after not being connected to a Fritz!box.

If your DNS service or router allows, you should block any lookup to a domain within .fritz.box to be safe.

This is what my network returns if I try the same lookup with my custom DNS:

c:\> nslookup nas.fritz.box

Server: UnKnown
Address: 192.168.2.1
Name: nas.fritz.box
Addresses: :: 0.0.0.0

More information:

https://crapts.org/2024/04/21/all-fritz-box-modems-have-been-hijacked/

https://news.ycombinator.com/item?id=40106336

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2

3385 posts

Uber Geek
+1 received by user: 1025

Trusted

#3221295 22-Apr-2024 09:50

So funny

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

freitasm

BDFL - Memuneh
80693 posts

Uber Geek
+1 received by user: 41138

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3221296 22-Apr-2024 09:52

mentalinc:

So funny

If it wasn't the fact I know many people using PiHole and AdGuard to protect themselves from "malware". which now may open a new can of worms.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

reven

3748 posts

Uber Geek
+1 received by user: 874

Trusted

#3221300 22-Apr-2024 10:12

I believe this fixes it if using pihole, under "Domains" adding a regex blacklist.

nslookup returns 0.0.0.0 now for me, vs before it would return the "2001:19f0:6c00:1b0e:5400:4ff:fecd:7828 / 45.76.93.104".

mentalinc

3385 posts

Uber Geek
+1 received by user: 1025

Trusted

#3221302 22-Apr-2024 10:22

^.*\.fritz\.box$

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

freitasm

BDFL - Memuneh
80693 posts

Uber Geek
+1 received by user: 41138

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3221303 22-Apr-2024 10:25

Even my NAS is doing these lookups - and it's not a Windows box. I haven't had a Fritz!box in my network for 12 months now.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

mentalinc

3385 posts

Uber Geek
+1 received by user: 1025

Trusted

#3221322 22-Apr-2024 11:17

Very weird to still have resolving after 12 months.

Do you have any domain controllers? maybe flush DNS on those and reboot both?

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

freitasm

BDFL - Memuneh
80693 posts

Uber Geek
+1 received by user: 41138

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3221323 22-Apr-2024 11:22

mentalinc:

Very weird to still have resolving after 12 months.

Do you have any domain controllers? maybe flush DNS on those and reboot both?

No domain controllers. I did scan the Windows registry for "Fritz.box" and found an entry under Computer\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\fritz.box and have now removed it.

I am not sure where to look for in the Synology DSM though.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Tinkerisk

4814 posts

Uber Geek
+1 received by user: 3684

#3221543 22-Apr-2024 18:11

Just as a side note:

Using the pseudo TLD .local for the internal network is not a good idea either, as it is used by mDNS, for example. 😉

Qui nihil scit, omnia credere debet. - He who knows nothing must believe everything.
Firewalls do NOT stop dragons!
I avoid Big Tech, they try hard to dictate technology and culture across borders.
In effect we have everything to hide from someone, and no idea who someone is.

Tinkerisk

4814 posts

Uber Geek
+1 received by user: 3684

#3221550 22-Apr-2024 18:32

freitasm:

I am not sure where to look for in the Synology DSM though.

Could it be remnants of a DDNS configuration that you had configured at some point with the FB and on the Synology?

Qui nihil scit, omnia credere debet. - He who knows nothing must believe everything.
Firewalls do NOT stop dragons!
I avoid Big Tech, they try hard to dictate technology and culture across borders.
In effect we have everything to hide from someone, and no idea who someone is.

timmmay

20867 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3221551 22-Apr-2024 18:34

Tinkerisk:
Just as a side note:

Using the pseudo TLD .local for the internal network is not a good idea either, as it is used by mDNS, for example. 😉

Could you please explain this.

Tinkerisk

4814 posts

Uber Geek
+1 received by user: 3684

#3221552 22-Apr-2024 18:44

timmmay:
Tinkerisk:

Just as a side note:

Using the pseudo TLD .local for the internal network is not a good idea either, as it is used by mDNS, for example. 😉

Could you please explain this.

Well, the .local domain is a so-called pseudo top-level domain. It means that it is not an official top-level domain that is usable (routable) on the Internet, but this domain has a semi-official status as it is used in some applications. In the case of .local, it is used by the Multicast Domain Name Service (mDNS, aka Bonjour). Hosts that implement this service use .local as a domain name and have their own way of resolving names.

Normally this would not be a problem; however, if you also implement DNS on your network with .local as a TLD, this causes serious name resolution issues. I have had „experience“ of this happening on Linux, Android and OS X systems. Usually in these types of networks you find that DNS name resolution doesn't work at all or only works part of the time.

You end up switching to fixed IP addresses because you can't know if a name can be resolved or not (which defeats the whole purpose of having a DNS server in the first place).

Hence I suggest using .lan for example instead.

Qui nihil scit, omnia credere debet. - He who knows nothing must believe everything.
Firewalls do NOT stop dragons!
I avoid Big Tech, they try hard to dictate technology and culture across borders.
In effect we have everything to hide from someone, and no idea who someone is.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

richms

29117 posts

Uber Geek
+1 received by user: 10231

Trusted

Lifetime subscriber

#3221562 22-Apr-2024 19:35

timmmay:
Tinkerisk:

Just as a side note:

Using the pseudo TLD .local for the internal network is not a good idea either, as it is used by mDNS, for example. 😉

Could you please explain this.

Before mDNS it was quite common to use .local as domains that you had inhouse and didnt want to pay for a domain for .internal and .lan were others that were often used for it.

Then mDNS came along and any device would be able to advertise those and if you had installed apples malware of itunes on a computer, it would then go to the device that advertised its presence with multicast rather than consult the real internal DNS server for it.

Richard rich.ms

Tinkerisk

4814 posts

Uber Geek
+1 received by user: 3684

#3221610 22-Apr-2024 19:52

richms:

Then mDNS came along and any device would be able to advertise those and if you had installed apples malware of itunes on a computer, it would then go to the device that advertised its presence with multicast rather than consult the real internal DNS server for it.

Sorry but Bonjour relies on standards mDNS (RFC 6762), DNS-SD (RFC 3927) and IPv4LL (RFC 6763). This time Apple had only reacted to the cries of users about cumbersome printer configurations in the user forum after cancelling AppleTalk, and developed Rendevous -> Bonjour -> Zeroconf (open source). Windows now also uses this.

Qui nihil scit, omnia credere debet. - He who knows nothing must believe everything.
Firewalls do NOT stop dragons!
I avoid Big Tech, they try hard to dictate technology and culture across borders.
In effect we have everything to hide from someone, and no idea who someone is.

jnimmo

1098 posts

Uber Geek
+1 received by user: 255

#3221675 23-Apr-2024 08:36

Ran into this one too!

Looks like .internal might be a future-proof way to go if you're considering changing it:

https://www.theregister.com/2024/01/29/icann_internal_tld/

timmmay

20867 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3221687 23-Apr-2024 09:12

RFC9375 says to use home.arpa. I switched to that when I moved pihole to docker.

1 | 2