Chinese IP addresses making DNS Requests on my plexconnect from OUTSIDE my network?

First the basic info from my setup:

 

AppleTV3 5.3

Plexconnect - latest release downloaded from GitHub 24 Sep 2013 (GMT +9 hours)

PMS - 0.9.8.4.125-ffe2a5d

 

So this past week, something weird was happening to my Plexconnect setup/AppleTV3.  I would try to browse through my library and it would take minutes to load! Sometimes it wouldn't load at all.  So I looked at my terminal and noticed a slew of DNS requests from IP addresses OUTSIDE of my network. Looked up the IP's on google and turns out they're all from China, I confirmed this as best I can by using .  Then I realized that my AppleTV's DNS requests were not going through because my computer was not able to process it due to the stacks and stacks of requests from the Chinese IP addresses. I shutdown (ctrl+C) the plexconnect server, waited, then started it back up, and there it was, as soon as it started up, hundreds of hits again from Chinese IP addresses.  Thought maybe my settings were messed up, downloaded the latest PlexConnect build from GitHub, configured the settings file, and still the same thing.  Finally, I restarted my router that is connected to my fiber, the connection to the outside world.  As soon as I did that, done it finally stopped.  Today, I kept an eye on my plexconnect while watching tonight, and still got sporadic requests from Chinese IP addresses, but nothing like yesterday.

 

So my worry is this...Does using port 53 open up my internal DNS to the external world? Also, what steps can I take to make sure that PlexConnect isn't opening up my network or creating vulnerabilities?  

 

Other factors to take into consideration:

The computer I use to server PlexConnect, I also use to torrent/download/itunes.  I don't share anything externally from my network, and my firewall is up of course.  The only place where I see the Chinese IP addresses pop up is in terminal during PlexConnect, as DNS Requests.  I ran the network utility and scanned the ports, nothing was there.  I also scanned for connections to my network, also nothing there.  Not sure what's going on, but was worried that perhaps PlexConnect may be creating an unexpected vulnerability.

 

Would it be possible to use a different port as a DNS server? If so, how could something like that be configured? Also, would that prevent others from getting into my network?

 

I read also that the "ssl/certificate" method to get PlexConnect working with AppleTV3 and the latest update, creates a very generic certificate, that anyone could use.  Someone in China has created a certificate for people to use, and is distributing it for use with the iphone configuration utility.  If multiple people use this cert, does that mean that they could mistakenly connect to other people's PlexConnect? Given that the cert is generic, wouldn't it allow access? (Mind you, I created my own cert and did not download one from online.)

 

In any case, I hope I didn't confuse anyone.  I understand that there are a lot of networking principles involved and this may have nothing to do with PlexConnect.  I was worried because I was only made aware of this through the use of PlexConnect and Terminal.  I do not know how to determine if this "attack" has happened to my computer/network before.  If anything PlexConnect may be the only tool that has revealed to me, these happenings on my network.  

 

Anyhow, any help or suggestions are totally appreciated.  If you feel that this does not belong here, please let me know where to move my post.  Or please notify me if you move my post to a new forum.

DNS requests from China is never a good thing. I would look into if you have a rule that allows port 53 to be open on your router/ DNS Server.

As a precaution, I would call your ISP and have them change your IP address as well.

You need to check your ROUTER port forwarding immediately.

PlexConnect works inside your network and can only be exposed if your router is forwarding port 53, or 80, or 443 to the computer that plexconnect is running on.

Please check your router config and make sure none of those three ports are being forwarded from your external IP address to your computer inside address.

You should be using your own generated certs that have a unique private key.
As well as checking port forwarding make sure you are not running your PC in a DMZ, if you are then you are exposing it to the whole internet!

A great tool for finding any open ports or UPNP security risks is the ShieldsUp! scanner at Gibson Research (www.grc.com).

Actually what is happening here is not that you are beeing hacked.

They are using your DNS server among many others to attack something else with an massive amount of DNS requests.

I got the same thing on mine. After that i installed icefloor and only allowed DNS requests from "known" external ip adresses wich I need since plexconnect and PMS is not based where my atvs are located.

I also blocked any traffic going towards the ip that was attacked.

Actually what is happening here is not that you are beeing hacked.
They are using your DNS server among many others to attack something else with an massive amount of DNS requests.
I got the same thing on mine. After that i installed icefloor and only allowed DNS requests from "known" external ip adresses wich I need since plexconnect and PMS is not based where my atvs are located.
I also blocked any traffic going towards the ip that was attacked.

The root cause though is almost certainly that you have ports open or your machine in a DMZ.
If you are running a DMZ I would advise you to stop using it as you will be exposing more than a DNS server to anyone 'passing by'.

The root cause though is almost certainly that you have ports open or your machine in a DMZ.
If you are running a DMZ I would advise you to stop using it as you will be exposing more than a DNS server to anyone 'passing by'.

10 Points for not reading f00b4r?

I stated that I solved the issue by installing icefloor (firewall) and that I need the port open because my ATV's is not located where my PMS and Plexconnect is hosted.

I just wanted to inform the inital poster about another solution to the problem if he like me needs to have PlexConnect running towards the interwebs.

10 Points for not reading f00b4r?

I stated that I solved the issue by installing icefloor (firewall) and that I need the port open because my ATV's is not located where my PMS and Plexconnect is hosted.

I just wanted to inform the inital poster about another solution to the problem if he like me needs to have PlexConnect running towards the interwebs.

I didn't intend to refer to your situation but the ops (I admit that was not clear).
You seem to know what you are doing but I was trying to highlight the issue of running PlexConnect on a machine in a DMZ, its not something that most users should be doing.

all good then
10 points for me not getting that

@meltman I thought port 53 has to be open in order for plex connect to be seen by atv?


@christiansvedin @f00b4r thanks for the info. not sure if my computer is in a DMZ. could you explain how to check that? I’m not too keen on the networking side of computers. I do have my AEBS set to forward requests to my computer for torrents. but it’s not on any of the Plex ports. when you see the attached log, you’ll see that the port is randomized. I’m using a Mac and airport routers, if any of that makes a difference in configuration. I have my firewall turned on, and I even tried blocking all incoming connections, but when I did that plex stopped working. my DHCP is set to only allow just enough IP addresses as I have devices and is MAC address specific.


I am using the default configurations from the zip file at GitHub, of course with my internal IP address, my ISPs DNS as the DNS, http and web is set to 0.0.0.0 usually (but after downloading the zip from two days ago, the http and web started using my mac’s IP, even though in the settings I have it set to 0.0.0.0), and I created my own certificate for the ssl access fix. mind you, after the ssl fix action, the last minute or two of shows is getting cut off. kind of like when you use plex to serve to a smart tv using the dlna. but that’s another topic.


thank you very much for your replies and information. I appreciate plex a lot as it helps to keep my home theater media player options clean and simple.

Port 53 only needs to be accessible on your LAN so does not need to be open on your router.

It is in your router that you need to check about if a DMZ has been setup.

In the Airport is is (or used to be anyway) called something slightly different, the "default host mode".

Check this link for instructions on how to enable/disable.

thanks. I looked at that and I do have a host setup. but it’s for torrenting. is it possible to torrent without that? I mean, when I setup the host I specified the ports, so that should lock it down to those ports only. right? or am I mistaken?


why do the requests for DNS show a different port than I have open? and why does it only show in plex connect terminal? is plex connect opening up other ports by chance? how can I make sure that plex connect is not serving on web or http? prior to the last update, it always showed 0.0.0.0 but now the web and http show my computers IP address. what do I need to change in the setting.cfg file to ensure it is only serving internally?

thanks. I looked at that and I do have a host setup. but it's for torrenting. is it possible to torrent without that? I mean, when I setup the host I specified the ports, so that should lock it down to those ports only. right? or am I mistaken?

why do the requests for DNS show a different port than I have open? and why does it only show in plex connect terminal? is plex connect opening up other ports by chance? how can I make sure that plex connect is not serving on web or http? prior to the last update, it always showed 0.0.0.0 but now the web and http show my computers IP address. what do I need to change in the setting.cfg file to ensure it is only serving internally?

You've put your computer in the DMZ? That slaps it right out on the web for hackers to poke at. It's a bad idea.

Some torrent programs will automatically map ports using uPNP if your router has that ability (which it likely does). You shouldn't put anything in the DMZ ever unless you really really know what you're doing. 

well, I’m using transmission as my torrent app. and I use port forwarding for my computer to be seen specifically for torrenting. it only specifies to use the one port that I have selected.


with the port forwarding off, transmission doesn’t download or seed.


I only had this issue with plex connect. nothing else. the reason I am looking at plex is because it is set to automatically share on port 80 and 443. but I never set it up that way using the settings file.


I’ll try turning off my port forwarding and remove the host identification on my computer and see if that will remove the issue. then I’ll see if transmission has another way to work.


this never happened to me prior to using plexconnect, which may be a coincidence. no one has ruled out a configuration or setting in plex connect that opens your computer up or puts it in the a DMZ though.

I think you will find Plexconnect is just highlighting an issue you already had.

It is very possible you have always had requests form external IP's because of your setup, and now that you have plexconnect running you are seeing all request on DNS port 53 logged, before plexconnect you would not have had anything listening on port 53 and therefore they were not answered and not logged.

The This with Plexconnect is it intercepts DNS requests (By design as this is how it is able to have trailers.apple.com requests present your plex content)  however if you open port 53 (DNS) to the outside world anyone can use this as a DNS server, and because plexconnect just forwards any other request made to it that is not trailers.apple.com and atv.plexconnect (As well as the apple update sites) to the DNS server set in the setting.cfg (By default google)

As mentioned by Christian, if you use something like icefloor you can restrict who is using the DNS server and therefore remove this issue.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.