Internet Tracking Site Discovered(?) via NextDNS

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!



Active member
Sep 29, 2020
in ~2days of monitored browsing/Internet usage on solely NextDNS, I find the site * is shown to have 1,755 hits!!??!?

VirusTotal / Relations
Date resolved / IP / Domain
2020-09-22 / /
2020-03-05 / /
2020-02-23 / /
2020-02-23 / /
2019-12-12 / /
2019-12-12 / /
2019-11-05 / /
2019-10-26 / /
2019-10-25 / /
2019-10-01 / /

WHAT! is the issue with!?!?
and WHOM is it that makes use of this tracking domain? which site(s)?!?! {not been able to figure this part out yet}
the WHY is obvious based on the above displayed Relations.

Yet, for the same period of time, the highest accessed site,, shows only 986 hits.
{in testing NextDNS as sole resolver, i have been playing a large number of youtube vids as well as accessing many other sites}

also of import, none of the chosen anti-tracking/malware DB(MPVS, Disconnect^3, NextDNS) identify this site as adversarial!
I am not sure exactly what I see, but based on what foundation I have gleaned from the years of listening to Mr. Gibson's SecurityNow!, I suspect something is awry.

also also, I note that the web interface for NextDNS allows one to get better understandings of sites accessed than the Pi-Hole interface does; As I do not recall EVER seeing selfcampaign as a predominantly accessed site via Pi-Hole.

Thanks for any feedback, confirmation, additional insights, et al.
  • Like
Reactions: rlocone


Well-known member
Sep 16, 2020
Ontario, Canada
Non-authoritative answer:

Non-authoritative answer:
Name: www.

ISP Hetzner Online GmbH

Looks and acts like a malware server, serving no data when directly addressed.

These two at the end of your list (which I have broken into two parts): | |

Look like they're using some sort of vulnerability that causes their data to get appended to the and of a microsoft URL of some sort.
  • Like
Reactions: Ceyarrecks


Well-known member
Sep 30, 2020
I didn't read every line of the messages, but I did notice that it was registered via > with DNS servers,, and, and that the following info is not obscured but seems to be relevant for both udag.* and united-domains

Registrant Name: Kai Seefeldt
Registrant Organization: B2B Media Group EMEA GmbH
Registrant Street: Bahnhofstr 5
Registrant City: Simmelsdorf
Registrant State/Province:
Registrant Postal Code: 91245
Registrant Country: DE
Registrant Phone: +49.89189659421
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name: Kai Seefeldt
Admin Organization: B2B Media Group EMEA GmbH
Admin Street: Bahnhofstr 5
Admin City: Simmelsdorf
Admin State/Province:
Admin Postal Code: 91245
Admin Country: DE
Admin Phone: +49.89189659421

Above that in the routing table is (HETZNER ONLINE GMBH), for which all info is redacted ☹️
Above is and then
Last edited:
  • Like
Reactions: Ceyarrecks


Active member
Sep 29, 2020
further research data:
assuring WaterFox (which I just implemented instead of FireFox for testing, which was also experiencing the same symptoms) does NOT load tabs until selected, and ONLY accessing the one tab for and I think I have discovered something of an unease about NextDNS.

no other Internet-aware program is currently running or able to access the network past the Firewall.

DNS Service has been disabled forever.
TCPIP/DNS is currently hard-coded to NextDNS' servers:
HOSTS file does have the following listings:

which, if some program was running and using DNS to resolve selfcampaign, the HOSTS file would stop it cold, yet,...

it still seems SOMETHING is accessing this domain as indicated by the NextDNS interface.

(!)the thought just occurred while I re-read prior to posting,
that there are two devices after this PC and before NextDNS,
the EdgeRouter X, and the Netgear 6100 WISP modem.
I begin to wonder if either of these devices might be apart of this equation.
the ERx was recently updated for its firmware, the WISP modem, being discontinued, has not had any firmware change in years.

also, also, I am currently using NextDNS under its "Free(300,000req/mo)" account.

{DNS Benchmark shows NextDNS with horrible times, and .28 as being down atm}
(I am not so much concerned with times as security, as NextDNS does promote protection against ...CNAME Spoofing (or whatever it is called that was recently discussed in SecNOW!))

Having another that could provide feedback, verify and/or lend insight into these results would be useful.


Active member
Sep 29, 2020
i had forgotten that the Netgear 6100 WISP modem had its own firewall, so i added to its BLOCKED domains list, and lo and behold, NO more entries from said tracking/malware site.

Which undeniably discovers that the Ubiquiti EdgeRouter X (EdgeOSv2.0.9-hotfix.1) is having conversations unbeknownst to its users, for, some, reason,...

No where in the user interface for the ERx is there any mention of this site, and the option for "sharing anonymized diagnostics" has always been unchecked.
I will contact Ubiquiti and report back what their response is.


I like red!
Sep 26, 2020
Do you have other devices on your network? Something on your phone, for example, might be calling that domain.

I signed up for NextDNS because Cloudflare tends to drop queries a lot here for some reason (I assume whatever blocked me from using it when they first started, the whole random equipment using the subnet for something, was never fully fixed) and the default block list they use I noticed my Roku is doing some logging even though 99% of the time it's in screen saver mode.

I might sign up for the paid service (I used like 9% of the free service on the first day!)


Active member
Sep 29, 2020
HERE! is the reason why I am more than likely going to stay solely with NextDNS:
Disguised Third-party Tracker.jpg

Their (re-settable & downloadable) log page details everything that goes on with the IP-specific connection, and splays it out for evaluation;
and as noted previously, is their stated protection against those whom GO. OUT. OF. THEIR. WAY. TO. DECEIVE!

Also, as previously stated, there are THREE , and only three(3) devices in question: a PC, a Router, & a Modem.
(I currently run a very simple network, nothing extraneous or superfluous is connected to the Internet)
To date, the aforementioned URL has NOT been accessed since blocking it at the WISP Modem, which effectively isolates and identifies the EdgeRouter X as the offending device. {am still waiting on reply from Ubiquiti}

After the 30th day of testing, I expect I will sign up for the Paid version, if only just to ENCOURAGE & SUPPORT this altruistic DNS provider!


Active member
Sep 29, 2020
more displays of NextDNS, their resolved regional map:
(more full color shows greater intensity of connections, can even determine countries)
NextDNS map.jpg


Active member
Sep 29, 2020
well now.
and if I may state, this is the (purposefully?) frustrating part:
NextDNS Blocked Domains.jpg

where I just verified that the WISP modem does, indeed, still have said offending domain listed in its "firewall/domain block" section.
now all of a sudden, the tracking/malware site is shown as being blocked again.
which suggests either the offending device is now to be understood as the WISP modem, or the modem is not functioning properly in terms of its ability to block domains.
I do not have the expertise nor equipment to find this subtle detail, would not even know where to start to determine the source of the actual fault.
So any whom understand better this situation than I, any input or suggestions as to how further to determine would be appreciated.

Anyway, I suggest "purposefully" as so many go out of their way to over-complicate/obfuscate/ambiguate with the purpose of hiding their malice and agenda with the hopes others that would choose to hold them accountable, would become frustrated and exhausted, thus giving up,... allowing the hateful free reign.


New member
Mar 13, 2021
Not sure about how much of the following relates to your current setup, but consider:
  • Each of your four items (Browser, PC, Router, Modem) might be trying to use different DNS services.
  • Any of these items that are NOT pointing their DNS resolution at NextDNS are likely not contributing to the report you get from NextDNS. So if your browser is the only item you have pointing at NextDNS, you can be confident that everything you see blocked is coming from that browser. You might be able to figure out which item is sending those queries by using the NextDNS servers on only one item at a time to figure out which DNS client is requesting the address resolution.
  • If you have * as localhost in your PC's hosts files, that will only protect your PC from queries that are using the PC's built-in DNS resolution service. The 'hosts' file is simply part of the PC's host name resolution. If your browser is programmed to use NextDNS, that will bypass whatever you have for DNS resolution on the PC, including the hosts file.
  • Another debug option to consider is to use Wireshark to capture which item is sending traffic to selfcampaign, although that could be a little more difficult between your router and modem
  • You mention blocking the selfcampaign sites on your modem with a firewall. Firewalls can block in a variety of ways. It wasn't clear from your post how your Wisp modem implements its "Firewall/Domain Block" feature. Most firewalls in routers/modems that I've seen block by IP address. Router/modem firewalls may also block by domain name by looking up the IP address from the supplied domain name from their configured DNS service (your ISP by default), and then blocking that IP address. But that's a sticky wicket, because domain name mapping to IP addresses can often change due to load balancing, etc. And because of the fact that perhaps the modem is using the ISP's DNS service and your browser is using NextDNS, there's a good chance they are resolving DIFFERENT IP addresses for the selfcampaign servers (assuming there are more than 1). So your modem/router might resolve it as Address 'A', and then block address 'A', but your browser, using a different DNS service, might resolve it as address 'B', which is not blocked by the modem/router. Often, modems/routers are set up to act as a DNS servers, offering DNS services to your home devices (if the home devices are configured to use them). These modems/routers will often offer DNS filtering (conceptually, a 'kind' of firewall), such that they will block certain DNS queries (much like NextDNS or a hosts file does) by domain name to devices on your LAN that are configured to use their DNS services. But if the name is resolved by another DNS resolver, they will not be able to block the DNS lookup, and additionally, they will NOT block traffic to that domain if some other DNS service is able to resolve it to an IP address.


Oct 22, 2020
i had forgotten that the Netgear 6100 WISP modem had its own firewall, so i added to its BLOCKED domains list, and lo and behold, NO more entries from said tracking/malware site.

Which undeniably discovers that the Ubiquiti EdgeRouter X (EdgeOSv2.0.9-hotfix.1) is having conversations unbeknownst to its users, for, some, reason,...

No where in the user interface for the ERx is there any mention of this site, and the option for "sharing anonymized diagnostics" has always been unchecked.
I will contact Ubiquiti and report back what their response is.
I'm coming to this a bit late, but feel compelled to provide you some context. I'm sorry but what you say about Ubiquiti above is FUD. If your ER-X is responsible, then your ER-X is almost certainly compromised. But far more likely is that with NextDNS you are now seeing for the first time how chatty things are on your network (devices, software you've installed, or even something that snuck in).

- I am using an ER-L and ER-X on 2.0.9+hf1 and use NextDNS for both devices, and most of my network. I have no sign of in the dnsmasq logs on the ER-L, nor in NextDNS.
- If there were some nefarious code in the ER firmware as you suggest, it would likely be discovered. Ubiquiti gear is used by many people far more savvy than you or I. Pretty certain it would be discovered and reported. Ubiquiti is a reputable maker. Version 2.0.9+HF1 has been available for >45 days, so plenty of time...
- to wit: Ubiquiti communities are well aware of some telemetry in EdgeOS that goes to, even when the "Enable device analytics" is OFF. Ubiquiti has addressed this in their forums and users have posted methods to block this if this still makes you uncomfortable.
- is in fact a known tracking domain. It's referenced here and elsewhere.
- Tracking is not necessarily nefarious, thought it may well be undesirable. That's why you're using NextDNS after all, right?
- From the info above it seems to be a Deutsches/German company, so start looking at German-made devices or software on your LAN/computers.

If you examine the logs on your ER-X you may be able to determine what IP on your LAN is making the requests for domain. ssh into your ER-X do this (assuming you are running dnsmasq on your ER-X):
# this will show the names of all dnsmasq log files; typically you'll have 5
ls -la /var/log/dnsmasq* 
# this will display each line in the logfile where the domain name occurs.
cat /var/log/dnsmasq.log | grep "selfcampaign" 
# a result will look like this:
cat /var/log/dnsmasq.log | grep "apple" 
Mar 21 12:55:18 dnsmasq[7517]: query[AAAA] from
# then you just need to track down the local IP