Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"Multicast DNS Warning" Letter Received - Can't Iedenfiy Responsible Device/Can't Identify Exposed Ports

Epsilon201st
On our wavelength

on ‎05-10-2023 16:09

I  know this topic has been raised by others before over several years, but I have particular queries that I both can't see answered anywhere and that I have been unable to address myself.

I have received the 'Mutlcast DNS Warning' letter (its sent as an email to most, but this was sent in the post) several times, each time an updated IP address commensurate with the SuperHub's typical cycling through of IP addresses because of the dynamic assignment given to each CPE (Customer Premises Equipment, i.e., each of our accounts, as Virgin Media subscribers, are given a 'fluid' IP address that changes regualrly, as opposed to something fixed and permanent) but I can't identify which of my devices is responsible, although I have some guesses (I have a Sonos system and wonder if this might be responsible because of how the Sonos network arranges itself, but I have no real idea, and don't know if this kind of speculation on mjy part just complicates things, or if such gueses might be helpful to people who unlike me are well informed on such technical matters) I have my network set up with a third party router (ASUS 86/1900AC) and I know that a firewall is enabled and runs at all time, and that whilst from time-to-time various ports are opened for various uses (gaming and such) there's never any permanently open ports on any devices.

And just to verify this from external sources, there are many available resources for testing ports on a particular IP addresss, the below is just one of these many: https://canyouseeme.org/

I have checked ALL the typically exploited ports, and apparently none are open. Now obviously I have not scanned the entire 1-65665 range, but let's say it is one of these other ports that has been exposed unbeknownst to me, why does Virgin not identify which port is open so that I can identify which device is responsible? Or, if the Multicast DNS warning correspondence only comes through on the 'MDNS port' of 5353, why am I being notified this port is exposed, when I have verified it definitely, currently, is not?

In case it's not obvious I should also point out virginmedia.com/mdns leads to a generic advice page and nothing specific to my account and nothing that allows me to take steps to correct the 'problem'. Overall it has been extremely irritating and time consuming chasing shadows, nowhere near enough information provided at the outset, and nowhere near adequate solutions available to the problem identified, presuming it is even accurate, and if it isn't, why am I being notified improperly like this?

0 Kudos
5 REPLIES 5

Client62
Legend

on ‎05-10-2023 17:00

Do you have any equipment that has been loaded with non-standard software ?

Think about Amazon Firesticks / ROKU / Games Consoles etc where a non standard or especially a side loaded app / program has been installed to gain access to some kind of service or content.   Such non standard app / programs can come with an unexpected / undisclosed back doors that VM detect.

0 Kudos

Epsilon201st
On our wavelength
In response to Client62

on ‎05-10-2023 17:16

Well okay at least I know that particular info my network might be helpful, the nly other guess I have is my PS4/.PS5 (it appears to have continued on since I switched consoles a few weeks back, I am waitihng to see as an when an updated letter arrives to know for sure that the problem persists) because the console I plug direclty into the SuperHub and even on Modem Mode, which is described as operational only via Ethernet Port 4, I have the PS4/PS5 plugged into Etherner Port 1 and it seems apparently able to derive its own IP address, and when it does, its listed by the console as 'NAT Type 1' which, I believe, indicates fully Open NAT. All that configuration is automatic - not designated by me. And although I know open NAT is unusual, if that is accurate, it also isn't the same as multicast DNS. Is it possible that this open-NAT auto-config setup has somehow allowed for another exploit? Would this mean the console was hacked? Again I have as much security as possible (PIN login, 2FA, etc) even in regards to my Playstation & account, so it still seems dubious to me.

As I said before re: awaiting a newest update to confirm this vulnerability was still going, because as I say the PS4/PS5 assigned itself a unique IP address of its own, after I received the previous lettter I did a PTR or reverse search i.e. in order to give the hostname in full (which doesn't change) as opposed to a specific IP address (which as I have alteady outlined I am aware of, the dynamic assignment from Virgin Media means no single IP address is tied to our Superhub/caccount), and therefore I would then reverse the hostname when the next letter comes and identify, if possible, whether it is from the PS4/PS5 designated address or the Superhub-in-Modem-mode/rest of network public IP. I am about 90% sure last time I did this check, it was NOT the PS console address listed, but as I say, I am waiting for specific info to answer that definitively.

Do you think the above has anything to do with it, if so, how would that have happened? Or is the Muldicast DNS vwarning sent as just that - a warning of a possible exploit given the conditions identified on my network, as opposed to either a) a guarantee of harm to the nework oro b) a confirmation that an explooit has actually taken place as opposed to simply being possible. If so, what can I do stop being notified?

0 Kudos

Client62
Legend

on ‎05-10-2023 19:50

Crikey man, a bot might have written less and said a fair bit more !

0 Kudos

Zach_R
Forum Team
Forum Team
In response to Epsilon201st

on ‎08-10-2023 08:47

Hi @Epsilon201st,

Thank you for your posts and welcome back to our community forums. We're here to help.

I'm sorry to hear that you're having some trouble with a device. If you've received a letter advising of a device issue that's been detected then please follow the instructions as they're detailed on the letter.

Thanks,
 


Zach - Forum Team
New around here? To find out more about the Community Forums, take a look at our FAQs!


0 Kudos

Epsilon201st
On our wavelength

on ‎09-10-2023 20:07

Hi all, thanks for the reply. I don't know when or why they made this switch but now the warnings are indeeed coming through by emaiil, not through the post, which at least explains why there's been no update in last few weeks (not for the of course preferable explanation that the issue had been resolved)  there is as I have mentioned already no solution provided, simply advising that I visit virginmedia.co.uk/mdns but that is just a generic advice pahe about security. I have explained in detail already I feel like I've done everything on my end security wise to shore up the network and to identify the responsible device, neither of which indicated any problems. And yet the warnings persist. If it helps I have been given reference numbers for each letter/notification, so if I could provide them (maybe via PM?) maybe someone in the know on Virgin's end could check out those references.

I have been able to confirm now that this is due to the PS5 which I can only presume is assigning itself DMZ status when connected via the Superhub directly, with the Superhub in modem mode. It appears this problem - if you search 'PS4' or 'PS5' in conjunction with mDNS - has arisen for many PS owners. Can anyone help identify which of these solutions is the one I will have to take, or do I have any choice berwen them?

(1) Take the SuperHub out of modem mode to configure port forwarding/firewall rules? (is there any way to do this whilst in modem mode, or that will be remembered and applied when using modem mode?)
(2) Assign custom DNS that are encrypted/secured, e.g. Cloudflare (1.1.1.1) or Google (4.4.4.4/.8.8.8.8) would an option like that help? Or indeed an actual custom-assigned DNS that I can put security on?
(3) Any other advice on steps to take?


I also think this might be worth noting, because most of the advice I read was about securing your LAN network against attack, and assigning rules about blocking certain ports for your internal network, now, with my Superhub in modem mode, my PS5 is completely isolated from the rest of the network anyway. However, I have noticed that my PS5 keeps configuring its own IPV6 address, a "Link local ipv6 address" I could never figure out why that was, or how it happened, and I couldn't find much advice about it online even though I searched extensively, so in the end I just paid it no heed. Now of course I am putting two and two together and wondering, was that 'link local' address configured precisely as a backdoor way to connect to devices on my LAN network, somehow? Or sometthing of that nature?

Hope I have not muddied the waters with this additional info. Thanks for advice/help.

0 Kudos
Top