Internet Tracking Site Discovered(?) via NextDNS

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Ceyarrecks

Active member
Sep 29, 2020
27
2
in ~2days of monitored browsing/Internet usage on solely NextDNS, I find the site *.selfcampaign.com is shown to have 1,755 hits!!??!?

https://www.virustotal.com/gui/ip-address/136.243.12.39/relations

VirusTotal / Relations
==========================================
Date resolved / IP / Domain
2020-09-22 / 136.243.12.39 / track3.selfcampaign.com
2020-03-05 / 136.243.12.39 / www.selfc.io
2020-02-23 / 136.243.12.39 / 10.72.180.60lib.selfcampaign.com
2020-02-23 / 136.243.12.39 / 10.72.180.60delivery.selfcampaign.com
2019-12-12 / 136.243.12.39 / track.selfcampaign.com
2019-12-12 / 136.243.12.39 / selfcampaign.com
2019-11-05 / 136.243.12.39 / selfc.io
2019-10-26 / 136.243.12.39 / ml314.comtrack2.selfcampaign.com
2019-10-25 / 136.243.12.39 / settings-win.data.microsoft.comtrack.selfcampaign.com
2019-10-01 / 136.243.12.39 / 3.tlu.dl.delivery.mp.microsoft.comlib.selfcampaign.com

WHAT! is the issue with selfcampaign.com!?!?
and WHOM is it that makes use of this tracking domain? which site(s)?!?! {not been able to figure this part out yet}
the WHY is obvious based on the above displayed Relations.

Yet, for the same period of time, the highest accessed site, www.youtube.com, shows only 986 hits.
{in testing NextDNS as sole resolver, i have been playing a large number of youtube vids as well as accessing many other sites}

also of import, none of the chosen anti-tracking/malware DB(MPVS, Disconnect^3, NextDNS) identify this site as adversarial!
I am not sure exactly what I see, but based on what foundation I have gleaned from the years of listening to Mr. Gibson's SecurityNow!, I suspect something is awry.

also also, I note that the web interface for NextDNS allows one to get better understandings of sites accessed than the Pi-Hole interface does; As I do not recall EVER seeing selfcampaign as a predominantly accessed site via Pi-Hole.

Thanks for any feedback, confirmation, additional insights, et al.
CAH
 
  • Like
Reactions: rlocone
Non-authoritative answer:
Name: track3.selfcampaign.com
Address: 136.243.12.39

Non-authoritative answer:
Name: www. selfc.io
Address: 136.243.12.39

Domain static.39.12.243.136.clients.your-server.de
ISP Hetzner Online GmbH

Looks and acts like a malware server, serving no data when directly addressed.

These two at the end of your list (which I have broken into two parts):
settings-win.data.microsoft.com | track.selfcampaign.com
3.tlu.dl.delivery.mp.microsoft.com | lib.selfcampaign.com

Look like they're using some sort of vulnerability that causes their data to get appended to the and of a microsoft URL of some sort.
 
  • Like
Reactions: Ceyarrecks
I didn't read every line of the messages, but I did notice that it was registered via udag.net > united-domains.de with DNS servers ns.udag.de, ns.udag.org, and ns.udag.net, and that the following info is not obscured but seems to be relevant for both udag.* and united-domains

Code:
Registrant Name: Kai Seefeldt
Registrant Organization: B2B Media Group EMEA GmbH
Registrant Street: Bahnhofstr 5
Registrant City: Simmelsdorf
Registrant State/Province:
Registrant Postal Code: 91245
Registrant Country: DE
Registrant Phone: +49.89189659421
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: billing@b2bmg.net
Registry Admin ID:
Admin Name: Kai Seefeldt
Admin Organization: B2B Media Group EMEA GmbH
Admin Street: Bahnhofstr 5
Admin City: Simmelsdorf
Admin State/Province:
Admin Postal Code: 91245
Admin Country: DE
Admin Phone: +49.89189659421

Above that in the routing table is hetzner.com (HETZNER ONLINE GMBH), for which all info is redacted ☹️
Above hetzner.com is core-backbone.com and then level3.net.
 
Last edited:
  • Like
Reactions: Ceyarrecks
further research data:
assuring WaterFox (which I just implemented instead of FireFox for testing, which was also experiencing the same symptoms) does NOT load tabs until selected, and ONLY accessing the one tab for https://my.nextdns.io/######/analytics and I think I have discovered something of an unease about NextDNS.

no other Internet-aware program is currently running or able to access the network past the Firewall.

DNS Service has been disabled forever.
and
TCPIP/DNS is currently hard-coded to NextDNS' servers:
45.90.30.241
45.90.28.241
HOSTS file does have the following listings:
127.0.0.1 selfcampaign.com
127.0.0.1 c2.selfcampaign.com

which, if some program was running and using DNS to resolve selfcampaign, the HOSTS file would stop it cold, yet,...

it still seems SOMETHING is accessing this domain as indicated by the NextDNS interface.

(!)the thought just occurred while I re-read prior to posting,
that there are two devices after this PC and before NextDNS,
the EdgeRouter X, and the Netgear 6100 WISP modem.
I begin to wonder if either of these devices might be apart of this equation.
the ERx was recently updated for its firmware, the WISP modem, being discontinued, has not had any firmware change in years.

also, also, I am currently using NextDNS under its "Free(300,000req/mo)" account.

{DNS Benchmark shows NextDNS with horrible times, and .28 as being down atm}
(I am not so much concerned with times as security, as NextDNS does promote protection against ...CNAME Spoofing (or whatever it is called that was recently discussed in SecNOW!))

Having another that could provide feedback, verify and/or lend insight into these results would be useful.
 
OK!
i had forgotten that the Netgear 6100 WISP modem had its own firewall, so i added c2.selfcampaign.com to its BLOCKED domains list, and lo and behold, NO more entries from said tracking/malware site.

Which undeniably discovers that the Ubiquiti EdgeRouter X (EdgeOSv2.0.9-hotfix.1) is having conversations unbeknownst to its users, for, some, reason,...

No where in the user interface for the ERx is there any mention of this site, and the option for "sharing anonymized diagnostics" has always been unchecked.
I will contact Ubiquiti and report back what their response is.
 
Do you have other devices on your network? Something on your phone, for example, might be calling that domain.

I signed up for NextDNS because Cloudflare tends to drop queries a lot here for some reason (I assume whatever blocked me from using it when they first started, the whole random equipment using the 1.0.0.0/8 subnet for something, was never fully fixed) and the default block list they use I noticed my Roku is doing some logging even though 99% of the time it's in screen saver mode.

I might sign up for the paid service (I used like 9% of the free service on the first day!)
 
HERE! is the reason why I am more than likely going to stay solely with NextDNS:
Disguised Third-party Tracker.jpg


Their (re-settable & downloadable) log page details everything that goes on with the IP-specific connection, and splays it out for evaluation;
and as noted previously, is their stated protection against those whom GO. OUT. OF. THEIR. WAY. TO. DECEIVE!

Also, as previously stated, there are THREE , and only three(3) devices in question: a PC, a Router, & a Modem.
(I currently run a very simple network, nothing extraneous or superfluous is connected to the Internet)
To date, the aforementioned URL has NOT been accessed since blocking it at the WISP Modem, which effectively isolates and identifies the EdgeRouter X as the offending device. {am still waiting on reply from Ubiquiti}

After the 30th day of testing, I expect I will sign up for the Paid version, if only just to ENCOURAGE & SUPPORT this altruistic DNS provider!
 
more displays of NextDNS, their resolved regional map:
(more full color shows greater intensity of connections, can even determine countries)
NextDNS map.jpg
 
well now.
and if I may state, this is the (purposefully?) frustrating part:
NextDNS Blocked Domains.jpg

where I just verified that the WISP modem does, indeed, still have said offending domain listed in its "firewall/domain block" section.
now all of a sudden, the tracking/malware site is shown as being blocked again.
which suggests either the offending device is now to be understood as the WISP modem, or the modem is not functioning properly in terms of its ability to block domains.
I do not have the expertise nor equipment to find this subtle detail, would not even know where to start to determine the source of the actual fault.
So any whom understand better this situation than I, any input or suggestions as to how further to determine would be appreciated.



Anyway, I suggest "purposefully" as so many go out of their way to over-complicate/obfuscate/ambiguate with the purpose of hiding their malice and agenda with the hopes others that would choose to hold them accountable, would become frustrated and exhausted, thus giving up,... allowing the hateful free reign.
 
Not sure about how much of the following relates to your current setup, but consider:
  • Each of your four items (Browser, PC, Router, Modem) might be trying to use different DNS services.
  • Any of these items that are NOT pointing their DNS resolution at NextDNS are likely not contributing to the report you get from NextDNS. So if your browser is the only item you have pointing at NextDNS, you can be confident that everything you see blocked is coming from that browser. You might be able to figure out which item is sending those queries by using the NextDNS servers on only one item at a time to figure out which DNS client is requesting the selfcampaign.com address resolution.
  • If you have *.selfcampaign.com as localhost in your PC's hosts files, that will only protect your PC from queries that are using the PC's built-in DNS resolution service. The 'hosts' file is simply part of the PC's host name resolution. If your browser is programmed to use NextDNS, that will bypass whatever you have for DNS resolution on the PC, including the hosts file.
  • Another debug option to consider is to use Wireshark to capture which item is sending traffic to selfcampaign, although that could be a little more difficult between your router and modem
  • You mention blocking the selfcampaign sites on your modem with a firewall. Firewalls can block in a variety of ways. It wasn't clear from your post how your Wisp modem implements its "Firewall/Domain Block" feature. Most firewalls in routers/modems that I've seen block by IP address. Router/modem firewalls may also block by domain name by looking up the IP address from the supplied domain name from their configured DNS service (your ISP by default), and then blocking that IP address. But that's a sticky wicket, because domain name mapping to IP addresses can often change due to load balancing, etc. And because of the fact that perhaps the modem is using the ISP's DNS service and your browser is using NextDNS, there's a good chance they are resolving DIFFERENT IP addresses for the selfcampaign servers (assuming there are more than 1). So your modem/router might resolve it as Address 'A', and then block address 'A', but your browser, using a different DNS service, might resolve it as address 'B', which is not blocked by the modem/router. Often, modems/routers are set up to act as a DNS servers, offering DNS services to your home devices (if the home devices are configured to use them). These modems/routers will often offer DNS filtering (conceptually, a 'kind' of firewall), such that they will block certain DNS queries (much like NextDNS or a hosts file does) by domain name to devices on your LAN that are configured to use their DNS services. But if the name is resolved by another DNS resolver, they will not be able to block the DNS lookup, and additionally, they will NOT block traffic to that domain if some other DNS service is able to resolve it to an IP address.
 
OK!
i had forgotten that the Netgear 6100 WISP modem had its own firewall, so i added c2.selfcampaign.com to its BLOCKED domains list, and lo and behold, NO more entries from said tracking/malware site.

Which undeniably discovers that the Ubiquiti EdgeRouter X (EdgeOSv2.0.9-hotfix.1) is having conversations unbeknownst to its users, for, some, reason,...

No where in the user interface for the ERx is there any mention of this site, and the option for "sharing anonymized diagnostics" has always been unchecked.
I will contact Ubiquiti and report back what their response is.
I'm coming to this a bit late, but feel compelled to provide you some context. I'm sorry but what you say about Ubiquiti above is FUD. If your ER-X is responsible, then your ER-X is almost certainly compromised. But far more likely is that with NextDNS you are now seeing for the first time how chatty things are on your network (devices, software you've installed, or even something that snuck in).

Consider:
- I am using an ER-L and ER-X on 2.0.9+hf1 and use NextDNS for both devices, and most of my network. I have no sign of selfcampaign.com in the dnsmasq logs on the ER-L, nor in NextDNS.
- If there were some nefarious code in the ER firmware as you suggest, it would likely be discovered. Ubiquiti gear is used by many people far more savvy than you or I. Pretty certain it would be discovered and reported. Ubiquiti is a reputable maker. Version 2.0.9+HF1 has been available for >45 days, so plenty of time...
- to wit: Ubiquiti communities are well aware of some telemetry in EdgeOS that goes to ui.com, even when the "Enable device analytics" is OFF. Ubiquiti has addressed this in their forums and users have posted methods to block this if this still makes you uncomfortable.
- selfcampaign.com is in fact a known tracking domain. It's referenced here and elsewhere. https://easylist.to/easylist/easyprivacy.txt
- Tracking is not necessarily nefarious, thought it may well be undesirable. That's why you're using NextDNS after all, right?
- From the info above it seems to be a Deutsches/German company, so start looking at German-made devices or software on your LAN/computers.

If you examine the logs on your ER-X you may be able to determine what IP on your LAN is making the requests for selfcampaign.com domain. ssh into your ER-X do this (assuming you are running dnsmasq on your ER-X):
Code:
# this will show the names of all dnsmasq log files; typically you'll have 5
ls -la /var/log/dnsmasq* 
# this will display each line in the logfile where the domain name occurs.
cat /var/log/dnsmasq.log | grep "selfcampaign" 
# a result will look like this:
cat /var/log/dnsmasq.log | grep "apple" 
Mar 21 12:55:18 dnsmasq[7517]: query[AAAA] daypass.api-glb-ash.smoot.apple.com from 192.168.0.31
# then you just need to track down the local IP