Question What are these bizarre DNS lookups from my LG B6?

Discussion in 'LG TVs Forum' started by PsyQ, Jul 13, 2019.

  1. PsyQ

    PsyQ
    Standard Member

    Joined:
    Jun 2, 2017
    Messages:
    21
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    6
    Location:
    Earth
    Ratings:
    +6
    I notice that my TV is trying to look up nonsensical DNS records as soon as it's on, such as:
    • ejjdtcvnpyt
    • qgjpqdnz
    • uchkqfzmnab
    • uomtckkhjt
    And so on. It tries them in rapid succession, once without my local search domain attached, then with. So it is definitely reading the resolver configuration correctly from DHCP, including search domain. After such a burst it's quiet for a while, but I can reproduce the behavior by switching it into standby and back on.

    The only apps I use regularly on it are YouTube, Netflix and the built-in DLNA player. No unofficial apps installed.

    What could this be, and can I get it to stop?
     
  2. shotokan101

    shotokan101
    Distinguished Member

    Joined:
    Jun 16, 2009
    Messages:
    76,032
    Products Owned:
    1
    Products Wanted:
    35
    Trophy Points:
    166
    Location:
    Glasgow
    Ratings:
    +25,956
    Odd - how are you checking this activity?

    Jim
     
  3. PsyQ

    PsyQ
    Standard Member

    Joined:
    Jun 2, 2017
    Messages:
    21
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    6
    Location:
    Earth
    Ratings:
    +6
    It shows up in my Pi-hole logs. And of course none of these lookups are ever successful.
     
  4. Dubav

    Dubav
    Standard Member

    Joined:
    May 30, 2018
    Messages:
    29
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    3
    Location:
    Ireland
    Ratings:
    +5
    FQDN's?
     
  5. PsyQ

    PsyQ
    Standard Member

    Joined:
    Jun 2, 2017
    Messages:
    21
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    6
    Location:
    Earth
    Ratings:
    +6
    No, just the hostnames. In the initial query only the hostname, then for the next one the TV adds my local search domain. So it would look up ejjdtcvnpyt and then almost immediately ejjdtcvnpyt.psynet.

    Maybe other Pi-hole users who are also LG B-series owners would find similar stuff in their query log? I know one C-series owner I can ask, but I'm not sure if they log their DNS stuff.
     
  6. next010

    next010
    Distinguished Member

    Joined:
    May 29, 2005
    Messages:
    11,026
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    163
    Ratings:
    +2,182
    I use Pi hole and have a B7, I don't see anything in my logs matching yours when I power on the TV.

    I can see a bunch of LG domains it's connecting to, those are lgtvsdp, lge, lgtvonline but that's about it.

    The blocklist for LG TV's has no mention of these either.
     
  7. PsyQ

    PsyQ
    Standard Member

    Joined:
    Jun 2, 2017
    Messages:
    21
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    6
    Location:
    Earth
    Ratings:
    +6
    Thanks a lot for checking! They mostly appear to be randomly generated and so would be hard to block. It also doesn't appear to use the same name more than once, except for one: wpad. It always tries a sequence of wpad, then 9 random hostnames.

    I will set up a honeypot under wpad, let's see what traffic comes through. Maybe the TV got exploited via e.g. the web browser at some point?

    Edit: Ah, nope, wpad is something unrelated. So it's down to just 9 random hostnames in a row, nothing to do with wpad.
     
    Last edited: Jul 14, 2019
  8. gavcity

    gavcity
    Active Member

    Joined:
    Oct 25, 2013
    Messages:
    70
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +25
    wpad would be it checking if theres a proxy server configured. Though I didn't see that with mine when I checked it just now.

    These are the lookups my TV makes on boot. Doesn't seem to be much of concern to me.
    push.prod.netflix.com
    api-global.netflix.com
    GB.lgtvsdp.com
    lgtvonline.lge.com
    GB.info.lgsmartad.com
    snu.lge.com
    preferences.cid.samba.tv
    a3phael99lf879.iot.eu-west-1.amazonaws.com
    ngfts.lge.com
    common.lgthinq.com
    GB.lgtvsdp.com
     
    Last edited: Jul 16, 2019
  9. PsyQ

    PsyQ
    Standard Member

    Joined:
    Jun 2, 2017
    Messages:
    21
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    6
    Location:
    Earth
    Ratings:
    +6
    Thanks. Yes, my list would look similar if it werent for the creepy random lookups. They always happen about 2-3 minutes after powering on or resuming from standby.

    I will probably have to set up a local DNS server and point a wildcard domain at a honeypot to figure out what the TV is trying to do. The DNS server inside Pi-hole (I think it's dnsmasq) does not support wildcards :(
     

Share This Page

Loading...