Close

What are you looking for?

cancel
Showing results for 
Search instead for 
Did you mean: 

.onion failed DNS queries? Security related?

(Topic created on: 3 weeks ago)
262 Views
InquiringMinds666
Journeyman
Options

Recently, I noticed failed DNS queries on my network route system log. They always follow a device belonging to a particular family member and I've read that it may be security related and in other places it's claiming guaranteed Tor browsing activity. If it is a Tor app or browser, would this not be a massive failure if the purpose is privacy?

So this brings me here... Is this a known security measure used to test the security of a wifi connection? It occurs almost every time this person connects. It initially came from their work device and now from their newly purchased personal device. There is always a spoof IP address that is attempted around the same, which has been identified as a **bleep**-to-**bleep** video conferencing app like WhatsApp according to information from Wireshark.

A couple of these may be normal and unrelated (the Samsung tv one, for example), but the onion and spoof IP have come up frequently and only after this person connects. It has also happened on another family members phone when it was accidentally left behind... I think the IP has changed occasionally. These are the sequences that raise red flags, according to Ai in a "security context":

*google.com

google.com.onion

216.58.202.4.in-addr.arpa

_dns.resolver.arpa

xmpp-client.tcp.scs.samsungqbe.com

scpopenapi.samsungcloud.tv

AI's interpretation of the query data:

- *google.com: Wildcard query — often used by privacy tools or misconfigured apps.

- google.com.onion: A Tor-specific domain — Google doesn’t operate a .onion site. (This is the confusing part and was also identified by AI as a purposely used DNS query as a part of Samsung's security).

- 216.58.202.4.in-addr.arpa: Reverse DNS lookup for a Google IP — common in anonymizer traffic.

- _dns.resolver.arpa: Internal DNS service query — may indicate custom DNS behavior.

- xmpp-client.tcp.scs.samsungqbe.com: Samsung messaging or sync service — could be legitimate or misfiring.

- scpopenapi.samsungcloud.tv: Samsung Cloud API — may be part of device sync, but repeated failures are suspicious.

10 REPLIES 10
Reylob
Samsung Members Star ★★
Options

Hi @InquiringMinds666 

Welcome to the Samsung community forum.

 

Please note that this is a forum for Samsung devices’ customer. If you have a problem with DNS or router, you should raise the issue with the router manufacturer, support, forum or Internet provider.

 

Failed DNS queries could be due to multiple reasons, your IT provider, your router, bogus domains, etc. All of them have nothing to do with client. Your router provides DNS service to your devices, and it gets it from your IT provider, unless it has been modified to use different one.


Technology enthusiast, but not related to any technological company.
0 Likes
InquiringMinds666
Journeyman
Options

I am Samsung customer and it's unlikely to be the router that is the issue, in this case. The failure of the DNS is not the concern, but what is being accessed that is leading to failures on the Network. The router is not the single reason a DNS will fail, for example, an application or services intentionally generate bogus queries such as VPN usage, Samsung privacy and security services are a possiblity, misconfigured applications on a device, other privacy tools (tor), or custom DNS setting on a device.

Regardless, my inquiry is if it is truly a component of Samsung's privacy and security measures for certain Samsung smartphones. However, I appreciate your response.

0 Likes
Reylob
Samsung Members Star ★★
Options

I did not suggest by a second that you were not a Samsung customer. I tried to convey that users on the forum might be able to help with your Samsung’s device, which I clearly failed to do so. So, I do apologise for not being clear enough. Your query seemed a network orientated one.

 

Whenever a client (phone/laptop/device) needs to talk to a server (LAN/WAN); it queries the immediate DNS server for the domain. That would be the router on most typical cases. If the immediate DNS server does not have the information, it will query its server, typically the ISP. This can be configured to use other DNS providers, e.g. Google.

 

If you are using a VPN service, then it will modify the network configuration on the client (this could include the router, if VPN is installed on the router) to follow the VPN’s own DHCP, DNS, etc, but the principle is the same. The DNS server does not have the information for a particular domain and fails to find the server. Any custom configuration would follow the same principle.

 

The failure of the network is not caused by the accessed services, but by the configuration made to it. However, if person A has a VPN service on their device, it should not affect any other device on the LAN. If you are the admin of the router, you could block certain IP ranges, devices (MAC addresses), etc.

 

There is no reason to be concern if the router’s log shows failed DNS queries, unless you want to access those services. It could well be that the device generating all the bogus domain names is compromised. It might have a virus or malicious app.


Technology enthusiast, but not related to any technological company.
arianwen27
Samsung Members Star ★
Options
Seems like a bug somewhere. I say that as "google.com.onion" isn't a valid tor address. Meaning there's no possible way it could ever be real or visited.

A real tor address would be considerably longer.

I doubt it's anything samsung doing it. Might be an app, might be logging going wrong. Whatever the case, the website is impossible to even exist so I don't think there's any ill intent
InquiringMinds666
Journeyman
Options
I understand, and I think there may have been some miscommunication — I wasn’t frustrated by your response, though I can see how it might have come across that way. My concern is less about malware affecting my device directly, and more about the possibility that someone’s device — if compromised — could expose sensitive information that overlaps with mine, such as shared banking credentials or linked accounts. From what I’ve read, the DNS failures I’m seeing may be caused by a misconfigured Tor or privacy-focused application designed to obscure browsing activity, which would align with the kind of tools this person might be using based on activity they are hoping to hide. That said, I’ve also come across conflicting information suggesting that Samsung’s security apps might intentionally query inactive or non-existent domains — and that the .onion or Tor-related domains could somehow be part of that diagnostic process. That doesn’t quite make sense to me. So I'm questioning if past activity on their device — including visits to risky websites hidden by use of privacy tools — have led to malware that’s now triggering both failed DNS queries and successful domain access? And if so, could that pose a risk to shared financial or personal data? I will contact my network provider for their take of course, but this is my thought process and it may have been unclear.
InquiringMinds666
Journeyman
Options

See that's why I thought maybe it's not their intention, but my concern was that they may be accessing websites associated with malware that could impact shared personal information and that it may be a Tor application associated with the misconfigurations. However, you've raised a valid point and their past activity has maybe already led to a bug?

I'm wondering, if their last phone was infected, would transferring data to a new phone also transfer the bug? I imagine so, and this is why it may have impacted more than one phone. I do find it confusing that it's only appeared on the other family member's phone once and not again since the person in question accessed it. This is why I'm under the impression that it may be a Tor application and that misconfigurations used by Tor apps have led to failed DNS queries which defeats the purpose of anonymity. I thought it would be less likely for a regular application to be attempting to access misconfigured onion domains. I understand that these things can happen, but felt that the possibility would be higher if it's an app attempting to access other onion domains. I did read that length of Tor addresses are typically longer, so I'm probably worrying unnecessarily and that it is just really bad timing that I've come across these after past issues. While I'm technologically-inclined, I am not a tech genius by any means, but this person is not tech-savvy and has made decisions online that they do not fully understand which may lead to problems.

0 Likes
Reylob
Samsung Members Star ★★
Options

DNS failures are nothing to worry about. It is just that a client tries to access a domain which is unknown to the DNS server. You could replicate one by simply opening the browser and typing https://a-non-existing-domain.org. Any query for any domain is passed to the DNS server to translate the domain into IP and if the domain is not on its list, it fails to find the host. Most malicious software would search for IP ranges rather than domains.

 

If they are using those tools (tor, VPN) on their device, there is very little chance that the information on your device might be compromised. In the other hand if the service/tool is installed on the router, then all LAN devices are at risk.

 

If their device is compromised by a virus or a malicious app, then all LAN devices are at risk. A malicious app could scan the LAN for other devices.

 

I do not understand “shared banking credentials or linked accounts”. Even if you have a join bank account, they will not be able to login to your Internet banking unless they have your login details. Connections to the most important sites are encrypted and unless your device has been compromised, it is unlikely that they will expose those details. However, if their device has a malicious app and you have some of that information in plain text, there is a potential risk. Please note that there are many IFs.

 

I am assuming that you have admin rights on the router. One thing that you could do, if the router allows it, it is to create a guest network. They will connect to the guest network, and you could connect to the main network. Usually, the traffic is separated in between the main and guest network.

 

I do not think Samsung devices will be searching for random websites, if that were the case, it will be happening to most of us.


Technology enthusiast, but not related to any technological company.
0 Likes
arianwen27
Samsung Members Star ★
Options
Worse case scenario it's a single app contacting something sketchy. True phone malware doesn't really exist anymore, especially on S series devices.

To explain, android is so locked down and secure that actually trying to infect the phone itself is not worth doing to some random person. It'd only happen to a CEO or political person. As long as play protect is on and device protection is enabled in device care, I wouldn't worry too much. Oh and weekly reboots help.

Just have a look for any apps you might not need and delete them.

Plus as you said, a tor connection would never hit your dns anyway.

There's a chance it might have even been an advert that loaded on your phone. They have some power to load things, or try to load things
InquiringMinds666
Journeyman
Options

Okay, this was so helpful. Thank you!

0 Likes