SamyGO

Posted: **Thu Aug 20, 2015 2:11 pm**

I'm using OpenWRT (BarrierBreaker) and dnsmasq to do this override.

However, by using just the 4 domains in sectroyer's link, I am still able to access his link (it's not as effective as URL filtering). However, when accessing a subdomain of msecnd.net, I get a "Name or service not known" error, but when accessing a subdomain of the subdomain, it eventually (after 20s) resolves it:

Code: Select all

root@arcturus:~# time nslookup msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

Name:      msecnd.net
Address 1: 127.0.0.1 localhost
real	0m 0.02s
user	0m 0.00s
sys	0m 0.01s

root@arcturus:~# time nslookup vo.msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

nslookup: can't resolve 'vo.msecnd.net': Name or service not known
Command exited with non-zero status 1
real	0m 0.01s
user	0m 0.00s
sys	0m 0.01s

root@arcturus:~# time nslookup az307127.vo.msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

Name:      az307127.vo.msecnd.net
Address 1: 2606:2800:133:206e:1315:22a5:2006:24fd
Address 2: 68.232.34.200
real	0m 20.03s
user	0m 0.00s
sys	0m 0.01s

Test 1: Point the ip to 0.0.0.0:

Code: Select all

root@arcturus:~# time nslookup msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

Name:      msecnd.net
Address 1: 0.0.0.0 msecnd.net
real	0m 0.01s
user	0m 0.00s
sys	0m 0.00s
root@arcturus:~# time nslookup vo.msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

nslookup: can't resolve 'vo.msecnd.net': Name or service not known
Command exited with non-zero status 1
real	0m 0.02s
user	0m 0.00s
sys	0m 0.01s
root@arcturus:~# time nslookup az307127.vo.msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

Name:      az307127.vo.msecnd.net
Address 1: 2606:2800:133:206e:1315:22a5:2006:24fd
Address 2: 68.232.34.200
real	0m 20.07s
user	0m 0.00s
sys	0m 0.01s

- doesn't work

Test 2 - blacklist vo.msecnd.net as well

Code: Select all

root@arcturus:~# time nslookup msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

Name:      msecnd.net
Address 1: 0.0.0.0 msecnd.net
real	0m 0.01s
user	0m 0.00s
sys	0m 0.01s
root@arcturus:~# time nslookup vo.msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

Name:      vo.msecnd.net
Address 1: 0.0.0.0 msecnd.net
real	0m 0.04s
user	0m 0.00s
sys	0m 0.00s
root@arcturus:~# time nslookup az307127.vo.msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

Name:      az307127.vo.msecnd.net
Address 1: 2606:2800:133:206e:1315:22a5:2006:24fd
Address 2: 68.232.34.200
real	0m 20.03s
user	0m 0.00s
sys	0m 0.01s

... Same thing - doesn't work.

It's puzzling. I'll try to do a packet capture (or run dnsmasq in debug mode) to try to better understand the issue...

Posted: **Thu Aug 20, 2015 7:23 pm**

ryn0909 wrote: HOW about a screenshot of your routers "access restrictions" page? preferably where it says "blocking by url"

And below the screenshot... Special for you

SpoilerShow

Posted: **Thu Aug 20, 2015 7:36 pm**

thank you

well thats exactly what i needed to see. you know, i ran pirni on my iphone and had it sniff some packets from the tv while i ran the update, hoping to get a better idea of where its sending update request to and receiving the update from.... but im not that familiar with using wireshark to analyze the captured packets. so it might take me some time to get it pinned down

also: if i cant get this wrt54gs to properly block the update to the tv, im gonna try blocking it from within the cable modem that is attached to my wrt54gs

Posted: **Fri Aug 21, 2015 1:36 pm**

Regarding my previous problem - using OpenWRT + dnsmasq to filter out the TV updates, here's what I tested:

I'm logging DNS queries, and this is what I get when I ask for msecnd.net:

Code: Select all

Fri Aug 21 14:58:33 2015 daemon.info dnsmasq[13972]: query[AAAA] msecnd.net from 192.168.1.1
Fri Aug 21 14:58:33 2015 daemon.info dnsmasq[13972]: forwarded msecnd.net to 193.231.252.1
Fri Aug 21 14:58:33 2015 daemon.info dnsmasq[13972]: forwarded msecnd.net to 213.154.124.1
Fri Aug 21 14:58:33 2015 daemon.info dnsmasq[13972]: forwarded msecnd.net to 193.231.252.1
Fri Aug 21 14:58:33 2015 daemon.info dnsmasq[13972]: forwarded msecnd.net to 213.154.124.1
Fri Aug 21 14:58:33 2015 daemon.info dnsmasq[13972]: query[A] msecnd.net from 192.168.1.1
Fri Aug 21 14:58:33 2015 daemon.info dnsmasq[13972]: /tmp/hosts/dhcp msecnd.net is 0.0.0.0
Fri Aug 21 14:58:33 2015 daemon.info dnsmasq[13972]: query[PTR] 0.0.0.0.in-addr.arpa from 192.168.1.1
Fri Aug 21 14:58:33 2015 daemon.info dnsmasq[13972]: /tmp/hosts/dhcp 0.0.0.0 is msecnd.net

So, my resolver still asks its forwarders but returns my overriden domain (for ipv4). The same thing happens for vo.msecnd.net.

For az307127.vo.msecnd.net this happens:

Code: Select all

Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: query[AAAA] az307127.vo.msecnd.net from 192.168.1.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded az307127.vo.msecnd.net to 193.231.252.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded az307127.vo.msecnd.net to 213.154.124.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded az307127.vo.msecnd.net to 193.231.252.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded az307127.vo.msecnd.net to 213.154.124.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: reply az307127.vo.msecnd.net is <CNAME>
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: reply cs1.wpc.v0cdn.net is 2606:2800:133:206e:1315:22a5:2006:24fd
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: query[AAAA] cs1.wpc.v0cdn.net from 192.168.1.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: cached cs1.wpc.v0cdn.net is 2606:2800:133:206e:1315:22a5:2006:24fd
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: query[A] az307127.vo.msecnd.net from 192.168.1.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: cached az307127.vo.msecnd.net is <CNAME>
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded az307127.vo.msecnd.net to 193.231.252.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: reply az307127.vo.msecnd.net is <CNAME>
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: reply cs1.wpc.v0cdn.net is 68.232.34.200
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: query[PTR] d.f.4.2.6.0.0.2.5.a.2.2.5.1.3.1.e.6.0.2.3.3.1.0.0.0.8.2.6.0.6.2.ip6.arpa from 192.168.1.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded d.f.4.2.6.0.0.2.5.a.2.2.5.1.3.1.e.6.0.2.3.3.1.0.0.0.8.2.6.0.6.2.ip6.arpa to 193.231.252.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded d.f.4.2.6.0.0.2.5.a.2.2.5.1.3.1.e.6.0.2.3.3.1.0.0.0.8.2.6.0.6.2.ip6.arpa to 213.154.124.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded d.f.4.2.6.0.0.2.5.a.2.2.5.1.3.1.e.6.0.2.3.3.1.0.0.0.8.2.6.0.6.2.ip6.arpa to 193.231.252.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded d.f.4.2.6.0.0.2.5.a.2.2.5.1.3.1.e.6.0.2.3.3.1.0.0.0.8.2.6.0.6.2.ip6.arpa to 213.154.124.1
Fri Aug 21 14:59:19 2015 daemon.info dnsmasq[13972]: forwarded d.f.4.2.6.0.0.2.5.a.2.2.5.1.3.1.e.6.0.2.3.3.1.0.0.0.8.2.6.0.6.2.ip6.arpa to 193.231.252.1

So again, the query is forwarded to upstreams.

So, I kept reading the manual of dnsmasq (http://www.thekelleys.org.uk/dnsmasq/do ... q-man.html) and found this nifty option:

-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
Specify IP address of upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf, use -R to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag -S /internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them. A non-standard port may be specified as part of the IP address using a # character. More than one -S flag is allowed, with repeated domain or ipaddr parts as required.

This corresponds to the "DNS forwardings" setting in OpenWRT's DNS and DHCP config. With this setting the results are promising:

Code: Select all

root@arcturus:~# time nslookup msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

nslookup: can't resolve 'msecnd.net': Name or service not known
Command exited with non-zero status 1
real	0m 40.04s
user	0m 0.00s
sys	0m 0.00s
root@arcturus:~# time nslookup vo.msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

nslookup: can't resolve 'vo.msecnd.net': Name or service not known
Command exited with non-zero status 1
real	0m 40.05s
user	0m 0.00s
sys	0m 0.01s
root@arcturus:~# time nslookup az307127.vo.msecnd.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

nslookup: can't resolve 'az307127.vo.msecnd.net': Name or service not known
Command exited with non-zero status 1
real	0m 40.04s
user	0m 0.00s
sys	0m 0.00s

And the log shows the queries are forwarded to a fake DNS server:

Code: Select all

Fri Aug 21 15:15:23 2015 daemon.info dnsmasq[14405]: query[A] az307127.vo.msecnd.net from 192.168.1.1
Fri Aug 21 15:15:23 2015 daemon.info dnsmasq[14405]: forwarded az307127.vo.msecnd.net to 10.0.0.10

So, for reference (@sectroyer: can we add this to a wiki page, separated by router firmware?), users with OpenWRT need to do the following to disable network updates:

/etc/config/dhcp:

Code: Select all

config dnsmasq
   ...
   list server '/msecnd.net/10.0.0.10'
   list server '/samsungotn.net/10.0.0.10'

Here's how it looks from the webend (LUCI):

Note! The server you forward the queries to has to be different than 127.0.0.1, otherwise you end up in a loop and overwhelm your router's DNS/CPU! Pick a private IP that you can't reach and you should be fine (or a reachable IP without a DNS server).

Results:

Code: Select all

root@arcturus:~# time nslookup samsungotn.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

nslookup: can't resolve 'samsungotn.net': Name or service not known
Command exited with non-zero status 1
real	0m 40.04s
user	0m 0.00s
sys	0m 0.00s
root@arcturus:~# time nslookup test.samsungotn.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

nslookup: can't resolve 'test.samsungotn.net': Name or service not known
Command exited with non-zero status 1
real	0m 40.04s
user	0m 0.00s
sys	0m 0.00s
root@arcturus:~# time nslookup www.samsungotn.net 192.168.1.1
Server:    192.168.1.1
Address 1: 192.168.1.1 arcturus.lan

nslookup: can't resolve 'www.samsungotn.net': Name or service not known
Command exited with non-zero status 1
real	0m 40.04s
user	0m 0.00s
sys	0m 0.01s

So, I'd say the issue is fixed for me as well... Yay!

Posted: **Fri Aug 21, 2015 8:54 pm**

Even if I don't need to block servers (with my older TV) it looks like that blocking
msecnd.net
samsungotn.net
will prevent the browser (on my TV) from working... No connection...

Sure - Root and no updates are faar more important.

Only what to say this for the records.

Posted: **Fri Aug 21, 2015 9:05 pm**

After blocking the adresses in my Router, my Webbrowser still works for me. "It looks like" means you are not 100% sure? Remove them from list and try if it's working without. (BTW. My TV is ES-Series)

Posted: **Fri Aug 21, 2015 10:12 pm**

I have similar behavior of web browser, and already had it before blocking msecnd.net, but it seems to be random: sometimes work, sometimes not (ERROR_EXE_some_number). The same goes for "Samsung Apps", I'm even not sure it's related to any URL blocking. Anyway, somebody using TV web browser must have time to waste

Posted: **Fri Aug 21, 2015 11:12 pm**

If you have a keyboard its ok for a little surfing.

Well it's the H Series thread. I have no problems with ES. Still would be interesting to collect your information to enclose the situation for devices and settings. Additionally OTN disabled?

Posted: **Fri Aug 21, 2015 11:30 pm**

mehmethan wrote:If you have a keyboard its ok for a little surfing.

I have a keyboard, but it's not plugged to TV

mehmethan wrote:Still would be interesting to collect your information to enclose the situation for devices and settings.

Still found nothing consistent, I just know that everytime I need browser (=when I loose root and use Test2 widget to recover) it works, and everytime I don't need it it doesn't

mehmethan wrote:Additionally OTN disabled?

It was, but not anymore since my downgrade/upgrade success. I didn't notice any difference...

Posted: **Sat Aug 22, 2015 8:32 pm**

Small update: with dns blocking as described in my last post I ran a software update check from the menu. It reports back (immediately) that no new updates are available. I guess that's ok, right?

My TV is H6400 running 2602. Also, the web browser works correctly with the domains blocked.

SamyGO

Rooting LATEST H firmware [discuss]

Re: [!!!] Rooting LATEST H firmware

Re: [!!!] Rooting LATEST H firmware

Re: [!!!] Rooting LATEST H firmware

Re: [!!!] Rooting LATEST H firmware

Re: [!!!] Rooting LATEST H firmware

Re: [!!!] Rooting LATEST H firmware

Re: [!!!] Rooting LATEST H firmware

Re: [!!!] Rooting LATEST H firmware

Re: [!!!] Rooting LATEST H firmware

Re: [!!!] Rooting LATEST H firmware