Internet Tracking Site Discovered(?) via NextDNS

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

Ceyarrecks

Member
Sep 29, 2020
24
3
in ~2days of monitored browsing/Internet usage on solely NextDNS, I find the site *.selfcampaign.com is shown to have 1,755 hits!!??!?

https://www.virustotal.com/gui/ip-address/136.243.12.39/relations

VirusTotal / Relations
==========================================
Date resolved / IP / Domain
2020-09-22 / 136.243.12.39 / track3.selfcampaign.com
2020-03-05 / 136.243.12.39 / www.selfc.io
2020-02-23 / 136.243.12.39 / 10.72.180.60lib.selfcampaign.com
2020-02-23 / 136.243.12.39 / 10.72.180.60delivery.selfcampaign.com
2019-12-12 / 136.243.12.39 / track.selfcampaign.com
2019-12-12 / 136.243.12.39 / selfcampaign.com
2019-11-05 / 136.243.12.39 / selfc.io
2019-10-26 / 136.243.12.39 / ml314.comtrack2.selfcampaign.com
2019-10-25 / 136.243.12.39 / settings-win.data.microsoft.comtrack.selfcampaign.com
2019-10-01 / 136.243.12.39 / 3.tlu.dl.delivery.mp.microsoft.comlib.selfcampaign.com

WHAT! is the issue with selfcampaign.com!?!?
and WHOM is it that makes use of this tracking domain? which site(s)?!?! {not been able to figure this part out yet}
the WHY is obvious based on the above displayed Relations.

Yet, for the same period of time, the highest accessed site, www.youtube.com, shows only 986 hits.
{in testing NextDNS as sole resolver, i have been playing a large number of youtube vids as well as accessing many other sites}

also of import, none of the chosen anti-tracking/malware DB(MPVS, Disconnect^3, NextDNS) identify this site as adversarial!
I am not sure exactly what I see, but based on what foundation I have gleaned from the years of listening to Mr. Gibson's SecurityNow!, I suspect something is awry.

also also, I note that the web interface for NextDNS allows one to get better understandings of sites accessed than the Pi-Hole interface does; As I do not recall EVER seeing selfcampaign as a predominantly accessed site via Pi-Hole.

Thanks for any feedback, confirmation, additional insights, et al.
CAH
 
  • Like
Reactions: rlocone

PHolder

Well-known member
Sep 16, 2020
630
2
308
Ontario, Canada
Non-authoritative answer:
Name: track3.selfcampaign.com
Address: 136.243.12.39

Non-authoritative answer:
Name: www. selfc.io
Address: 136.243.12.39

Domain static.39.12.243.136.clients.your-server.de
ISP Hetzner Online GmbH

Looks and acts like a malware server, serving no data when directly addressed.

These two at the end of your list (which I have broken into two parts):
settings-win.data.microsoft.com | track.selfcampaign.com
3.tlu.dl.delivery.mp.microsoft.com | lib.selfcampaign.com

Look like they're using some sort of vulnerability that causes their data to get appended to the and of a microsoft URL of some sort.
 
  • Like
Reactions: Ceyarrecks

danlock

Well-known member
Sep 30, 2020
133
45
I didn't read every line of the messages, but I did notice that it was registered via udag.net > united-domains.de with DNS servers ns.udag.de, ns.udag.org, and ns.udag.net, and that the following info is not obscured but seems to be relevant for both udag.* and united-domains

Code:
Registrant Name: Kai Seefeldt
Registrant Organization: B2B Media Group EMEA GmbH
Registrant Street: Bahnhofstr 5
Registrant City: Simmelsdorf
Registrant State/Province:
Registrant Postal Code: 91245
Registrant Country: DE
Registrant Phone: +49.89189659421
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: billing@b2bmg.net
Registry Admin ID:
Admin Name: Kai Seefeldt
Admin Organization: B2B Media Group EMEA GmbH
Admin Street: Bahnhofstr 5
Admin City: Simmelsdorf
Admin State/Province:
Admin Postal Code: 91245
Admin Country: DE
Admin Phone: +49.89189659421

Above that in the routing table is hetzner.com (HETZNER ONLINE GMBH), for which all info is redacted ☹️
Above hetzner.com is core-backbone.com and then level3.net.
 
Last edited:
  • Like
Reactions: Ceyarrecks

Ceyarrecks

Member
Sep 29, 2020
24
3
further research data:
assuring WaterFox (which I just implemented instead of FireFox for testing, which was also experiencing the same symptoms) does NOT load tabs until selected, and ONLY accessing the one tab for https://my.nextdns.io/######/analytics and I think I have discovered something of an unease about NextDNS.

no other Internet-aware program is currently running or able to access the network past the Firewall.

DNS Service has been disabled forever.
and
TCPIP/DNS is currently hard-coded to NextDNS' servers:
45.90.30.241
45.90.28.241
HOSTS file does have the following listings:
127.0.0.1 selfcampaign.com
127.0.0.1 c2.selfcampaign.com

which, if some program was running and using DNS to resolve selfcampaign, the HOSTS file would stop it cold, yet,...

it still seems SOMETHING is accessing this domain as indicated by the NextDNS interface.

(!)the thought just occurred while I re-read prior to posting,
that there are two devices after this PC and before NextDNS,
the EdgeRouter X, and the Netgear 6100 WISP modem.
I begin to wonder if either of these devices might be apart of this equation.
the ERx was recently updated for its firmware, the WISP modem, being discontinued, has not had any firmware change in years.

also, also, I am currently using NextDNS under its "Free(300,000req/mo)" account.

{DNS Benchmark shows NextDNS with horrible times, and .28 as being down atm}
(I am not so much concerned with times as security, as NextDNS does promote protection against ...CNAME Spoofing (or whatever it is called that was recently discussed in SecNOW!))

Having another that could provide feedback, verify and/or lend insight into these results would be useful.
 

Ceyarrecks

Member
Sep 29, 2020
24
3
OK!
i had forgotten that the Netgear 6100 WISP modem had its own firewall, so i added c2.selfcampaign.com to its BLOCKED domains list, and lo and behold, NO more entries from said tracking/malware site.

Which undeniably discovers that the Ubiquiti EdgeRouter X (EdgeOSv2.0.9-hotfix.1) is having conversations unbeknownst to its users, for, some, reason,...

No where in the user interface for the ERx is there any mention of this site, and the option for "sharing anonymized diagnostics" has always been unchecked.
I will contact Ubiquiti and report back what their response is.
 

miquelfire

I like red!
Sep 26, 2020
42
4
www.miquelfire.red
Do you have other devices on your network? Something on your phone, for example, might be calling that domain.

I signed up for NextDNS because Cloudflare tends to drop queries a lot here for some reason (I assume whatever blocked me from using it when they first started, the whole random equipment using the 1.0.0.0/8 subnet for something, was never fully fixed) and the default block list they use I noticed my Roku is doing some logging even though 99% of the time it's in screen saver mode.

I might sign up for the paid service (I used like 9% of the free service on the first day!)
 

Ceyarrecks

Member
Sep 29, 2020
24
3
HERE! is the reason why I am more than likely going to stay solely with NextDNS:
Disguised Third-party Tracker.jpg


Their (re-settable & downloadable) log page details everything that goes on with the IP-specific connection, and splays it out for evaluation;
and as noted previously, is their stated protection against those whom GO. OUT. OF. THEIR. WAY. TO. DECEIVE!

Also, as previously stated, there are THREE , and only three(3) devices in question: a PC, a Router, & a Modem.
(I currently run a very simple network, nothing extraneous or superfluous is connected to the Internet)
To date, the aforementioned URL has NOT been accessed since blocking it at the WISP Modem, which effectively isolates and identifies the EdgeRouter X as the offending device. {am still waiting on reply from Ubiquiti}

After the 30th day of testing, I expect I will sign up for the Paid version, if only just to ENCOURAGE & SUPPORT this altruistic DNS provider!
 

Ceyarrecks

Member
Sep 29, 2020
24
3
more displays of NextDNS, their resolved regional map:
(more full color shows greater intensity of connections, can even determine countries)
NextDNS map.jpg
 

Ceyarrecks

Member
Sep 29, 2020
24
3
well now.
and if I may state, this is the (purposefully?) frustrating part:
NextDNS Blocked Domains.jpg

where I just verified that the WISP modem does, indeed, still have said offending domain listed in its "firewall/domain block" section.
now all of a sudden, the tracking/malware site is shown as being blocked again.
which suggests either the offending device is now to be understood as the WISP modem, or the modem is not functioning properly in terms of its ability to block domains.
I do not have the expertise nor equipment to find this subtle detail, would not even know where to start to determine the source of the actual fault.
So any whom understand better this situation than I, any input or suggestions as to how further to determine would be appreciated.



Anyway, I suggest "purposefully" as so many go out of their way to over-complicate/obfuscate/ambiguate with the purpose of hiding their malice and agenda with the hopes others that would choose to hold them accountable, would become frustrated and exhausted, thus giving up,... allowing the hateful free reign.
 

brookbphx

New member
Mar 13, 2021
3
1
Not sure about how much of the following relates to your current setup, but consider:
  • Each of your four items (Browser, PC, Router, Modem) might be trying to use different DNS services.
  • Any of these items that are NOT pointing their DNS resolution at NextDNS are likely not contributing to the report you get from NextDNS. So if your browser is the only item you have pointing at NextDNS, you can be confident that everything you see blocked is coming from that browser. You might be able to figure out which item is sending those queries by using the NextDNS servers on only one item at a time to figure out which DNS client is requesting the selfcampaign.com address resolution.
  • If you have *.selfcampaign.com as localhost in your PC's hosts files, that will only protect your PC from queries that are using the PC's built-in DNS resolution service. The 'hosts' file is simply part of the PC's host name resolution. If your browser is programmed to use NextDNS, that will bypass whatever you have for DNS resolution on the PC, including the hosts file.
  • Another debug option to consider is to use Wireshark to capture which item is sending traffic to selfcampaign, although that could be a little more difficult between your router and modem
  • You mention blocking the selfcampaign sites on your modem with a firewall. Firewalls can block in a variety of ways. It wasn't clear from your post how your Wisp modem implements its "Firewall/Domain Block" feature. Most firewalls in routers/modems that I've seen block by IP address. Router/modem firewalls may also block by domain name by looking up the IP address from the supplied domain name from their configured DNS service (your ISP by default), and then blocking that IP address. But that's a sticky wicket, because domain name mapping to IP addresses can often change due to load balancing, etc. And because of the fact that perhaps the modem is using the ISP's DNS service and your browser is using NextDNS, there's a good chance they are resolving DIFFERENT IP addresses for the selfcampaign servers (assuming there are more than 1). So your modem/router might resolve it as Address 'A', and then block address 'A', but your browser, using a different DNS service, might resolve it as address 'B', which is not blocked by the modem/router. Often, modems/routers are set up to act as a DNS servers, offering DNS services to your home devices (if the home devices are configured to use them). These modems/routers will often offer DNS filtering (conceptually, a 'kind' of firewall), such that they will block certain DNS queries (much like NextDNS or a hosts file does) by domain name to devices on your LAN that are configured to use their DNS services. But if the name is resolved by another DNS resolver, they will not be able to block the DNS lookup, and additionally, they will NOT block traffic to that domain if some other DNS service is able to resolve it to an IP address.
 

saguaro

Member
Oct 22, 2020
18
1
OK!
i had forgotten that the Netgear 6100 WISP modem had its own firewall, so i added c2.selfcampaign.com to its BLOCKED domains list, and lo and behold, NO more entries from said tracking/malware site.

Which undeniably discovers that the Ubiquiti EdgeRouter X (EdgeOSv2.0.9-hotfix.1) is having conversations unbeknownst to its users, for, some, reason,...

No where in the user interface for the ERx is there any mention of this site, and the option for "sharing anonymized diagnostics" has always been unchecked.
I will contact Ubiquiti and report back what their response is.
I'm coming to this a bit late, but feel compelled to provide you some context. I'm sorry but what you say about Ubiquiti above is FUD. If your ER-X is responsible, then your ER-X is almost certainly compromised. But far more likely is that with NextDNS you are now seeing for the first time how chatty things are on your network (devices, software you've installed, or even something that snuck in).

Consider:
- I am using an ER-L and ER-X on 2.0.9+hf1 and use NextDNS for both devices, and most of my network. I have no sign of selfcampaign.com in the dnsmasq logs on the ER-L, nor in NextDNS.
- If there were some nefarious code in the ER firmware as you suggest, it would likely be discovered. Ubiquiti gear is used by many people far more savvy than you or I. Pretty certain it would be discovered and reported. Ubiquiti is a reputable maker. Version 2.0.9+HF1 has been available for >45 days, so plenty of time...
- to wit: Ubiquiti communities are well aware of some telemetry in EdgeOS that goes to ui.com, even when the "Enable device analytics" is OFF. Ubiquiti has addressed this in their forums and users have posted methods to block this if this still makes you uncomfortable.
- selfcampaign.com is in fact a known tracking domain. It's referenced here and elsewhere. https://easylist.to/easylist/easyprivacy.txt
- Tracking is not necessarily nefarious, thought it may well be undesirable. That's why you're using NextDNS after all, right?
- From the info above it seems to be a Deutsches/German company, so start looking at German-made devices or software on your LAN/computers.

If you examine the logs on your ER-X you may be able to determine what IP on your LAN is making the requests for selfcampaign.com domain. ssh into your ER-X do this (assuming you are running dnsmasq on your ER-X):
Code:
# this will show the names of all dnsmasq log files; typically you'll have 5
ls -la /var/log/dnsmasq* 
# this will display each line in the logfile where the domain name occurs.
cat /var/log/dnsmasq.log | grep "selfcampaign" 
# a result will look like this:
cat /var/log/dnsmasq.log | grep "apple" 
Mar 21 12:55:18 dnsmasq[7517]: query[AAAA] daypass.api-glb-ash.smoot.apple.com from 192.168.0.31
# then you just need to track down the local IP