3 weeks ago
Recently, I noticed failed DNS queries on my network route system log. They always follow a device belonging to a particular family member and I've read that it may be security related and in other places it's claiming guaranteed Tor browsing activity. If it is a Tor app or browser, would this not be a massive failure if the purpose is privacy?
So this brings me here... Is this a known security measure used to test the security of a wifi connection? It occurs almost every time this person connects. It initially came from their work device and now from their newly purchased personal device. There is always a spoof IP address that is attempted around the same, which has been identified as a **bleep**-to-**bleep** video conferencing app like WhatsApp according to information from Wireshark.
A couple of these may be normal and unrelated (the Samsung tv one, for example), but the onion and spoof IP have come up frequently and only after this person connects. It has also happened on another family members phone when it was accidentally left behind... I think the IP has changed occasionally. These are the sequences that raise red flags, according to Ai in a "security context":
*google.com
google.com.onion
216.58.202.4.in-addr.arpa
_dns.resolver.arpa
xmpp-client.tcp.scs.samsungqbe.com
scpopenapi.samsungcloud.tv
AI's interpretation of the query data:
- *google.com: Wildcard query — often used by privacy tools or misconfigured apps.
- google.com.onion: A Tor-specific domain — Google doesn’t operate a .onion site. (This is the confusing part and was also identified by AI as a purposely used DNS query as a part of Samsung's security).
- 216.58.202.4.in-addr.arpa: Reverse DNS lookup for a Google IP — common in anonymizer traffic.
- _dns.resolver.arpa: Internal DNS service query — may indicate custom DNS behavior.
- xmpp-client.tcp.scs.samsungqbe.com: Samsung messaging or sync service — could be legitimate or misfiring.
- scpopenapi.samsungcloud.tv: Samsung Cloud API — may be part of device sync, but repeated failures are suspicious.
3 weeks ago
Welcome to the Samsung community forum.
Please note that this is a forum for Samsung devices’ customer. If you have a problem with DNS or router, you should raise the issue with the router manufacturer, support, forum or Internet provider.
Failed DNS queries could be due to multiple reasons, your IT provider, your router, bogus domains, etc. All of them have nothing to do with client. Your router provides DNS service to your devices, and it gets it from your IT provider, unless it has been modified to use different one.
3 weeks ago
I am Samsung customer and it's unlikely to be the router that is the issue, in this case. The failure of the DNS is not the concern, but what is being accessed that is leading to failures on the Network. The router is not the single reason a DNS will fail, for example, an application or services intentionally generate bogus queries such as VPN usage, Samsung privacy and security services are a possiblity, misconfigured applications on a device, other privacy tools (tor), or custom DNS setting on a device.
Regardless, my inquiry is if it is truly a component of Samsung's privacy and security measures for certain Samsung smartphones. However, I appreciate your response.
3 weeks ago
I did not suggest by a second that you were not a Samsung customer. I tried to convey that users on the forum might be able to help with your Samsung’s device, which I clearly failed to do so. So, I do apologise for not being clear enough. Your query seemed a network orientated one.
Whenever a client (phone/laptop/device) needs to talk to a server (LAN/WAN); it queries the immediate DNS server for the domain. That would be the router on most typical cases. If the immediate DNS server does not have the information, it will query its server, typically the ISP. This can be configured to use other DNS providers, e.g. Google.
If you are using a VPN service, then it will modify the network configuration on the client (this could include the router, if VPN is installed on the router) to follow the VPN’s own DHCP, DNS, etc, but the principle is the same. The DNS server does not have the information for a particular domain and fails to find the server. Any custom configuration would follow the same principle.
The failure of the network is not caused by the accessed services, but by the configuration made to it. However, if person A has a VPN service on their device, it should not affect any other device on the LAN. If you are the admin of the router, you could block certain IP ranges, devices (MAC addresses), etc.
There is no reason to be concern if the router’s log shows failed DNS queries, unless you want to access those services. It could well be that the device generating all the bogus domain names is compromised. It might have a virus or malicious app.
3 weeks ago - last edited 3 weeks ago
3 weeks ago
3 weeks ago
See that's why I thought maybe it's not their intention, but my concern was that they may be accessing websites associated with malware that could impact shared personal information and that it may be a Tor application associated with the misconfigurations. However, you've raised a valid point and their past activity has maybe already led to a bug?
I'm wondering, if their last phone was infected, would transferring data to a new phone also transfer the bug? I imagine so, and this is why it may have impacted more than one phone. I do find it confusing that it's only appeared on the other family member's phone once and not again since the person in question accessed it. This is why I'm under the impression that it may be a Tor application and that misconfigurations used by Tor apps have led to failed DNS queries which defeats the purpose of anonymity. I thought it would be less likely for a regular application to be attempting to access misconfigured onion domains. I understand that these things can happen, but felt that the possibility would be higher if it's an app attempting to access other onion domains. I did read that length of Tor addresses are typically longer, so I'm probably worrying unnecessarily and that it is just really bad timing that I've come across these after past issues. While I'm technologically-inclined, I am not a tech genius by any means, but this person is not tech-savvy and has made decisions online that they do not fully understand which may lead to problems.
3 weeks ago
DNS failures are nothing to worry about. It is just that a client tries to access a domain which is unknown to the DNS server. You could replicate one by simply opening the browser and typing https://a-non-existing-domain.org. Any query for any domain is passed to the DNS server to translate the domain into IP and if the domain is not on its list, it fails to find the host. Most malicious software would search for IP ranges rather than domains.
If they are using those tools (tor, VPN) on their device, there is very little chance that the information on your device might be compromised. In the other hand if the service/tool is installed on the router, then all LAN devices are at risk.
If their device is compromised by a virus or a malicious app, then all LAN devices are at risk. A malicious app could scan the LAN for other devices.
I do not understand “shared banking credentials or linked accounts”. Even if you have a join bank account, they will not be able to login to your Internet banking unless they have your login details. Connections to the most important sites are encrypted and unless your device has been compromised, it is unlikely that they will expose those details. However, if their device has a malicious app and you have some of that information in plain text, there is a potential risk. Please note that there are many IFs.
I am assuming that you have admin rights on the router. One thing that you could do, if the router allows it, it is to create a guest network. They will connect to the guest network, and you could connect to the main network. Usually, the traffic is separated in between the main and guest network.
I do not think Samsung devices will be searching for random websites, if that were the case, it will be happening to most of us.
3 weeks ago
3 weeks ago
Okay, this was so helpful. Thank you!