Teleport DNS behavior?


  • I recently set up pihole at home, and I noticed a particular strange behavior when I'm not at home, using my Teleport. It looks like a self-assigned ip, 169.254.x.x is hitting the pihole and making DNS queries to Chinese servers. One of which is connect.ubnt.com.cn. As near as I can tell, this IP is coming from the Teleport. Additionally, I can hit port 80 on this IP while I'm on the Teleport, but get an access denied. Is this just Teleport reaching out to check if the internet is active? Something nefarious?

    0_1552498825003_Screen Shot 2019-03-13 at 1.39.18 PM.png


  • I'm seeing the same thing. This is massively concerning considering the domain doesn't even appear to be owned by Ubiquiti:

    $ whois ubnt.com.cn
    % IANA WHOIS server
    % for more information on IANA, visit http://www.iana.org
    % This query returned 1 object

    refer: whois.cnnic.cn

    domain: CN

    organisation: China Internet Network Information Center (CNNIC)
    address: No. 4, South 4th Street
    address: Zhong Guan Cun
    address: Beijing 100190
    address: China

    contact: administrative
    name: Yu Zeng
    organisation: China Internet Network Information Center (CNNIC)
    address: No. 4, South 4th Street
    address: Zhong Guan Cun
    address: Beijing 100190
    address: China
    phone: +8610-58813686
    fax-no: +8610-58813632
    e-mail: ceo@cnnic.cn

    contact: technical
    name: Yuedong Zhang
    organisation: China Internet Network Information Center (CNNIC)
    address: No. 4, South 4th Street
    address: Zhong Guan Cun
    address: Beijing 100190
    address: China
    phone: +8610-58813202
    fax-no: +8610-58812666
    e-mail: tech@cnnic.cn

    I also don't think there's any good explanation for this device to be reaching out for miui.com.

    The only thing that makes me slightly less concerned here is that it appears to be attempting to do an HTTP GET request on the /generate_204 URI, which seems to be some sort of captive portal detection. In any case, there's no good reason why these domains should be contacted as part of this resolution process.


  • I just shot an email to the security team at Ubiquiti. Hopefully they'll be able to shed some light on this activity.


  • @chris-long Let me know if you get a response. I still see this periodically.


  • Hi @UBNT-Brett - are you guys hosting Teleport back-end network servers in China?


  • @derek-saville The support staff, myself included is not given that information so I am not sure.


  • Hi @chris-long - did you receive any feedback on this DNS behavior?


Log in to reply
 

Looks like your connection to AmpliFi was lost, please wait while we try to reconnect.