.onion failed DNS queries? Security related?

InquiringMinds666 · 6 hours ago

Recently, I noticed failed DNS queries on my network route system log. They always follow a device belonging to a particular family member and I've read that it may be security related and in other places it's claiming guaranteed Tor browsing activity. If it is a Tor app or browser, would this not be a massive failure if the purpose is privacy?

So this brings me here... Is this a known security measure used to test the security of a wifi connection? It occurs almost every time this person connects. It initially came from their work device and now from their newly purchased personal device. There is always a spoof IP address that is attempted around the same, which has been identified as a **bleep**-to-**bleep** video conferencing app like WhatsApp according to information from Wireshark.

A couple of these may be normal and unrelated (the Samsung tv one, for example), but the onion and spoof IP have come up frequently and only after this person connects. It has also happened on another family members phone when it was accidentally left behind... I think the IP has changed occasionally. These are the sequences that raise red flags, according to Ai in a "security context":

*google.com

google.com.onion

216.58.202.4.in-addr.arpa

_dns.resolver.arpa

xmpp-client.tcp.scs.samsungqbe.com

scpopenapi.samsungcloud.tv

AI's interpretation of the query data:

- *google.com: Wildcard query — often used by privacy tools or misconfigured apps.

- google.com.onion: A Tor-specific domain — Google doesn’t operate a .onion site. (This is the confusing part and was also identified by AI as a purposely used DNS query as a part of Samsung's security).

- 216.58.202.4.in-addr.arpa: Reverse DNS lookup for a Google IP — common in anonymizer traffic.

- _dns.resolver.arpa: Internal DNS service query — may indicate custom DNS behavior.

- xmpp-client.tcp.scs.samsungqbe.com: Samsung messaging or sync service — could be legitimate or misfiring.

- scpopenapi.samsungcloud.tv: Samsung Cloud API — may be part of device sync, but repeated failures are suspicious.

Reylob · 5 hours ago

Hi @InquiringMinds666

Welcome to the Samsung community forum.

Please note that this is a forum for Samsung devices’ customer. If you have a problem with DNS or router, you should raise the issue with the router manufacturer, support, forum or Internet provider.

Failed DNS queries could be due to multiple reasons, your IT provider, your router, bogus domains, etc. All of them have nothing to do with client. Your router provides DNS service to your devices, and it gets it from your IT provider, unless it has been modified to use different one.

Technology enthusiast, but not related to any technological company.

InquiringMinds666 · 4 hours ago

I am Samsung customer and it's unlikely to be the router that is the issue, in this case. The failure of the DNS is not the concern, but what is being accessed that is leading to failures on the Network. The router is not the single reason a DNS will fail, for example, an application or services intentionally generate bogus queries such as VPN usage, Samsung privacy and security services are a possiblity, misconfigured applications on a device, other privacy tools (tor), or custom DNS setting on a device.

Regardless, my inquiry is if it is truly a component of Samsung's privacy and security measures for certain Samsung smartphones. However, I appreciate your response.

Reylob · 3 hours ago

I did not suggest by a second that you were not a Samsung customer. I tried to convey that users on the forum might be able to help with your Samsung’s device, which I clearly failed to do so. So, I do apologise for not being clear enough. Your query seemed a network orientated one.

Whenever a client (phone/laptop/device) needs to talk to a server (LAN/WAN); it queries the immediate DNS server for the domain. That would be the router on most typical cases. If the immediate DNS server does not have the information, it will query its server, typically the ISP. This can be configured to use other DNS providers, e.g. Google.

If you are using a VPN service, then it will modify the network configuration on the client (this could include the router, if VPN is installed on the router) to follow the VPN’s own DHCP, DNS, etc, but the principle is the same. The DNS server does not have the information for a particular domain and fails to find the server. Any custom configuration would follow the same principle.

The failure of the network is not caused by the accessed services, but by the configuration made to it. However, if person A has a VPN service on their device, it should not affect any other device on the LAN. If you are the admin of the router, you could block certain IP ranges, devices (MAC addresses), etc.

There is no reason to be concern if the router’s log shows failed DNS queries, unless you want to access those services. It could well be that the device generating all the bogus domain names is compromised. It might have a virus or malicious app.

Technology enthusiast, but not related to any technological company.

arianwen27 · 51 minutes ago

Seems like a bug somewhere. I say that as "google.com.onion" isn't a valid tor address. Meaning there's no possible way it could ever be real or visited.

A real tor address would be considerably longer.

I doubt it's anything samsung doing it. Might be an app, might be logging going wrong. Whatever the case, the website is impossible to even exist so I don't think there's any ill intent