IoT vs Google DNS

I’ve had a bit of a run about with a company that makes very good wireless products but with a major flaw and that is that they embed Google DNS into their products… Here’s the problem. On the network I am running this wireless gear external DNS is blocked and this wireless product so happens to be “cloud controlled”… What does this mean? It doesn’t even connect (ugh) and the worst thing there is no way to reprogram it with its current firmware to make it work.

Here’s the email chain – the rep doesn’t even know what I am talking about. It all started off with me using the “contact us” form on their website explaining the fact the product works if I allow Google DNS but doesn’t if external DNS is blocked. I’ve stripped any personally identifiable information since my beef isn’t really with the rep who was trying to help me sort this issue but rather to the company (who to name and shame – is Xclaim):

Hi Micheal,

Thanks for contacting Xclaim Technical support.

Can you please let me know the AP LED status?

Please check the following steps and let us know

1. Please try to change the ethernet cables and check if it helps.

2. Does the AP receive the IP address from the DHCP server?

3. Check if the AP is in latest firmware version (2.2.0.0.36). If not, please reboot the AP twice with a gap of 10 minutes between each reboot.

4. If you have a firewall in your network, please allow SSL(TCP 443) , ICMP and NTP (UDP 123) traffic to passthrough. These 3 ports need to be opened to ensure that the AP communicates with CloudManager and vice-versa.

Regards,
Service

So, at first this is fine – the rep is covering their basis.

Hi there,

The AP is sitting on a flashing red light at the moment.

1. Please try to change the ethernet cables and check if it helps.
Done that – the AP does broadcast a network no problems and is connected to the router at Gigabit Full Duplex.

2. Does the AP receive the IP address from the DHCP server?
Yes – have checked in the routers DHCP table for this. SSH is open as well however don’t know the user/pass for it.

3. Check if the AP is in latest firmware version (2.2.0.0.36). If not, please reboot the AP twice with a gap of 10 minutes between each reboot.
It is running the latest firmware.

4. If you have a firewall in your network, please allow SSL(TCP 443) , ICMP and NTP (UDP 123) traffic to passthrough. These 3 ports need to be opened to ensure that the AP communicates with CloudManager and vice-versa.
No outbound firewall – only blocking alternative DNS servers but there is a DNS server on the network that is set by DHCP.

If I enable Google DNS (8.8.8.8, 8.8.4.4) the AP connects fine however can’t do this due to Android / Chromecast defaulting to this (and I don’t want them to). I just really need to ensure the AP is getting the right DNS server or have the ability to set it.

Cheers,
Michael

Hi Micheal,

We have observed that sometimes when either some ports/traffic is blocked by certain ISPs , or when their DNS doesn’t resolve some of the cloudmanager URLs.
Can you please check if the “xcloud-ops.net” URL is resolved by your DNS?
We have also noticed this issue when the network latency is high.

Regards,
Support

Right – I did specifically state that “if I enable Google DNS through the firewall it works” a couple of times now. Guess the rep doesn’t know. Worse here is he provided me with an invalid URL to test – I had to run a packet capture which 1) confirmed my theory that the AP is trying to reach out to Google DNS and 2) to get what it was actually looking up. It wasn’t until later I noticed this however.

Hi there.

Our ISP has no outbound port blocking.

As stated the xclaim access point connects if I allow Google DNS, it doesn’t work if I block Google DNS (which is normally blocked on the network anyway). That domain is not resolvable by anything:

[email protected]:~$ dig @8.8.8.8 xcloud-ops.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> a @8.8.8.8 xcloud-ops.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21977
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;xcloud-ops.net. IN A

;; AUTHORITY SECTION:
xcloud-ops.net. 899 IN SOA ns-1423.awsdns-49.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 194 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 18 19:19:26 NZST 2017
;; MSG SIZE rcvd: 128

Cheers,
Michael

Hi Micheal,

Please check with your ISP for the DNS resolution.
Somehow the ISP’s DNS server couldn’t resolve the some of the Cloudmanager URLs.
Also, please open the following ports on both ways in your firewall.
SSL(TCP 443) , ICMP and NTP (UDP 123)

Regards,
Support

As stated nothing to do with my ISP. I’ve already confirmed that the Xclaim AP has Google DNS hard coded.

I’ve tested this from multiple locations on multiple providers all with the same issue…

Cheers,
Michael.

Also I guess you’re meaning “api.xcloud-ops.net”? There is no DNS records under xcloud-ops.net.

[email protected]:~ $ dig api.xcloud-ops.net

; <<>> DiG 9.9.5-9+deb8u13-Raspbian <<>> api.xcloud-ops.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29866
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;api.xcloud-ops.net. IN A

;; ANSWER SECTION:
api.xcloud-ops.net. 588 IN CNAME xcloud-capi-jgjn9g08.us-west-2.elasticbeanstalk.com.
xcloud-capi-jgjn9g08.us-west-2.elasticbeanstalk.com. 48 IN A 52.35.156.110
xcloud-capi-jgjn9g08.us-west-2.elasticbeanstalk.com. 48 IN A 54.69.27.108
xcloud-capi-jgjn9g08.us-west-2.elasticbeanstalk.com. 48 IN A 50.112.65.90

;; Query time: 3 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Tue Aug 22 23:46:12 NZST 2017
;; MSG SIZE rcvd: 149

The issue here is the xclaim AP refuses to work if Google DNS is blocked on the network. We have to have other DNS servers restricted on this network. Doing a query to Google DNS on this network will result with this:

[email protected]:~ $ dig @8.8.8.8 api.xcloud-ops.net

; <<>> DiG 9.9.5-9+deb8u13-Raspbian <<>> @8.8.8.8 api.xcloud-ops.net
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Note, the local DNS server sitting at 192.168.2.1 can successfully resolve api.xcloud-ops.net. Furthermore there is no outbound port blocking either locally or by the ISP on this network. If you’re unable to help here please escalate the ticket to somebody who can. The AP works as long as Google DNS is allowed through the network as per my first email.

Cheers,
Michael

After this Xclaim Support did a remote session to try and diagnose the issue and found the AP itself was using the routers DNS servers but the scripts were hard-coded to use Google DNS. They say they have never had that before (I call BS) and also say it’ll be rectified in a future firmware version. I guess I’ll just replace this AP…

Protip to device manufactures – stop using “insert internet based public DNS service” and listen to to the networks DHCP server – I don’t even know why you’d do this but the DHCP server normally knows what it is talking about.

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen − 13 =