search icon
Close

What are you looking for?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

.onion failed DNS queries? Security related?

(Topic created on: 3 weeks ago)
263 Views
- Close original thread and solution
InquiringMinds666
Journeyman

3 weeks ago

Options

Recently, I noticed failed DNS queries on my network route system log. They always follow a device belonging to a particular family member and I've read that it may be security related and in other places it's claiming guaranteed Tor browsing activity. If it is a Tor app or browser, would this not be a massive failure if the purpose is privacy?

So this brings me here... Is this a known security measure used to test the security of a wifi connection? It occurs almost every time this person connects. It initially came from their work device and now from their newly purchased personal device. There is always a spoof IP address that is attempted around the same, which has been identified as a **bleep**-to-**bleep** video conferencing app like WhatsApp according to information from Wireshark.

A couple of these may be normal and unrelated (the Samsung tv one, for example), but the onion and spoof IP have come up frequently and only after this person connects. It has also happened on another family members phone when it was accidentally left behind... I think the IP has changed occasionally. These are the sequences that raise red flags, according to Ai in a "security context":

*google.com

google.com.onion

216.58.202.4.in-addr.arpa

_dns.resolver.arpa

xmpp-client.tcp.scs.samsungqbe.com

scpopenapi.samsungcloud.tv

AI's interpretation of the query data:

- *google.com: Wildcard query — often used by privacy tools or misconfigured apps.

- google.com.onion: A Tor-specific domain — Google doesn’t operate a .onion site. (This is the confusing part and was also identified by AI as a purposely used DNS query as a part of Samsung's security).

- 216.58.202.4.in-addr.arpa: Reverse DNS lookup for a Google IP — common in anonymizer traffic.

- _dns.resolver.arpa: Internal DNS service query — may indicate custom DNS behavior.

- xmpp-client.tcp.scs.samsungqbe.com: Samsung messaging or sync service — could be legitimate or misfiring.

- scpopenapi.samsungcloud.tv: Samsung Cloud API — may be part of device sync, but repeated failures are suspicious.

10 REPLIES 10
InquiringMinds666
Journeyman

3 weeks ago

Options
In response to Reylob

Okay, I appreciate your effort and time in helping me out!

0 Likes